oss-sec mailing list archives
CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers
From: Daniel Ruggeri <druggeri () apache org>
Date: Wed, 14 Aug 2019 15:50:09 -0500
CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers. Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.20 to 2.4.39 Description: A malicious client could perform a DoS attack by flooding a connection with requests and basically never reading responses on the TCP connection. Depending on h2 worker dimensioning, it was possible to block those with relatively few connections. Mitigation: All httpd users deploying mod_http2 should upgrade to 2.4.40 or later. Unpatched servers can disable HTTP/2 protocol. Credit: The issue was discovered by Jonathan Looney of Netflix. References: https://httpd.apache.org/security/vulnerabilities_24.html
Current thread:
- CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers Daniel Ruggeri (Aug 15)