Akamai Diversity

Akamai Security Intelligence
& Threat Research

HTTP2 Vulnerabilities

On Tuesday, August 13th at 10 AM Pacific Time (1700UTC), Netflix publicly disclosed a series of vulnerabilities found by Jonathan Looney that impact many implementations of the HTTP2 protocol. A vulnerability found by Piotr Sikora of Google was also released at the same time. Akamai is grateful to the reporters for their work and pre-release coordination.

About the Vulnerabilities

All of the HTTP2 vulnerabilities referenced above are resource exhaustion vulnerabilities, which would impact the availability of the attacked systems and services, thus not compromising the confidentiality or integrity of the data contained within. Vectors like these have been seen in the past when exploited on other protocols, like HTTP2's predecessor HTTP with the Slowloris and Zero Window connection stressing.

Rather than us going into detail on each of the vulnerabilities, please see the write up provided by Netflix.

 



Vulnerability

CVE

Reporters 

Data Dribble

CVE-2019-9511

Jonathan Looney, Netflix

Ping Flood

CVE-2019-9512

Jonathan Looney, Netflix

Resource Loop

CVE-2019-9513

Jonathan Looney, Netflix

Reset Flood

CVE-2019-9514

Jonathan Looney, Netflix

Settings Flood

CVE-2019-9515

Jonathan Looney, Netflix

0-Length Headers Leak (Nginx variant)

CVE-2019-9516

Jonathan Looney, Netflix

Internal Data Buffering

CVE-2019-9517

Jonathan Looney, Netflix

Empty Frames Flood

CVE-2019-9518

Piotr Sikora, Google

 

 

Akamai Impact

Some Akamai services were impacted by this vulnerability, but all customer services have been patched. Akamai recommends that all Internet connected HTTP2 services be patched for these vulnerabilities as soon as possible. CDN customers that use Akamai and have up-to-date SiteShield lists should be protected from these vulnerabilities while their origin infrastructure is patched.

 

Leave a comment