Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP/2 DoS attack vulnerabilities CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 #2090

Open
kazuho opened this issue Aug 12, 2019 · 0 comments

Comments

@kazuho
Copy link
Member

commented Aug 12, 2019

Recently, a series of DoS attack vulnerabilities have been reported on a broad range of HTTP/2 stacks. Among the vulnerabilities, H2O is exposed to the following:

  • CVE-2019-9512 (Ping Flood)
  • CVE-2019-9514 (Reset Flood)
  • CVE-2019-9515 (Settings Flood)

These vulnerabilities have been fixed in version 2.2.6 and 2.3.0-beta2.

H2O is not vulnerable to CVE-2019-9511 (Data Dribble), CVE-2019-9513 (Resource Loop), CVE-2019-9516 (0-Length Headers Leak), CVE-2019-9517 (Internal Data Buffering), CVE-2019-9518 (Empty Frames Flood).

TBD: links to CVEs, acknowledgements.

@kazuho kazuho changed the title TBD HTTP/2 DoS attack vulnerabilities CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 Aug 13, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.