Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTTP/2 DoS attack vulnerabilities CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 #2090

Closed
kazuho opened this issue Aug 12, 2019 · 3 comments
Closed

HTTP/2 DoS attack vulnerabilities CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 #2090

kazuho opened this issue Aug 12, 2019 · 3 comments

Comments

@kazuho
Copy link
Member

@kazuho kazuho commented Aug 12, 2019

Recently, a series of DoS attack vulnerabilities have been reported on a broad range of HTTP/2 stacks. Among the vulnerabilities, H2O is exposed to the following:

  • CVE-2019-9512 (Ping Flood)
  • CVE-2019-9514 (Reset Flood)
  • CVE-2019-9515 (Settings Flood)

These vulnerabilities have been fixed in version 2.2.6 and 2.3.0-beta2.

H2O is not vulnerable to CVE-2019-9511 (Data Dribble), CVE-2019-9513 (Resource Loop), CVE-2019-9516 (0-Length Headers Leak), CVE-2019-9517 (Internal Data Buffering), CVE-2019-9518 (Empty Frames Flood).

TBD: links to CVEs, acknowledgements.

@kazuho kazuho changed the title TBD HTTP/2 DoS attack vulnerabilities CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 Aug 13, 2019
@mmuehlenhoff
Copy link

@mmuehlenhoff mmuehlenhoff commented Aug 21, 2019

Is this all fixed by 743d6b6 or is this issue kept open for some other angles?

@kazuho
Copy link
Member Author

@kazuho kazuho commented Aug 21, 2019

@mmuehlenhoff All fixed as of that commit.

@gladk
Copy link

@gladk gladk commented Aug 21, 2019

Can this issue then be closed please?

@kazuho kazuho changed the title HTTP/2 DoS attack vulnerabilities CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 HTTP/2 DoS attack vulnerabilities CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 (fixed) Aug 21, 2019
@kazuho kazuho changed the title HTTP/2 DoS attack vulnerabilities CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 (fixed) HTTP/2 DoS attack vulnerabilities CVE-2019-9512 CVE-2019-9514 CVE-2019-9515 Aug 21, 2019
@kazuho kazuho closed this Aug 21, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants