Researchers from Netflix and Google have discovered a number of vulnerabilities in several implementations of HTTP/2. Exploitation of the vulnerabilities allows attackers to cause a denial of service unpatched servers.
The problem affects servers which support HTTP/2. According to statistics from W3Techs, it is 40,0% of all web sites on the Internet.
We found only eight vulnerabilities that can be remotely proekspluatirovat. According to the researchers, all vectors of attacks are variations on the same scheme, when the customer provokes the response of vulnerable servers, and then refuses to read it. Depending on the capabilities of the server to manage queues, the client is able to use its excessive memory and CPU for processing incoming requests.
The vulnerabilities were assigned the following CVE:-CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517 and CVE-2019-9518. Exploitation allows an attacker to query huge amounts of data among multiple threads, send continuous pings the HTTP/2-the feast and the flow of frames or titles without names and values on the affected server. Depending on how the data is to queue and consume excessive CPU resources, it can lead to denial of service.
As reported by CERT coordination center, vulnerability, affect the products of such vendors like Amazon, Apache, Apple, Facebook, Microsoft, nginx, Node.js and Ubuntu. Some companies have already corrected a problem has been detected and recorded several unsuccessful attacks.
Read more •••