X

Need cloud computing? Get started now

Akamai logo
+1-8774252624
+1-8774252624
Login
Control Center
Access the Akamai platform
Cloud Manager
Manage your cloud resources
Try Akamai
Under Attack?
Login
Control Center
Access the Akamai platform
Cloud Manager
Manage your cloud resources
Dark background with blue code overlay
Blog
RSS

HTTP2 Vulnerabilities

Akamai Wave Blue

Written by

Akamai

August 13, 2019

Akamai Wave Blue

Written by

Akamai

On Tuesday, August 13th at 10 AM Pacific Time (1700UTC), Netflix publicly disclosed a series of vulnerabilities found by Jonathan Looney that impact many implementations of the HTTP2 protocol. A vulnerability found by Piotr Sikora of Google was also released at the same time. Akamai is grateful to the reporters for their work and pre-release coordination.

All of the HTTP2 vulnerabilities referenced above are resource exhaustion vulnerabilities, which would impact the availability of the attacked systems and services, thus not compromising the confidentiality or integrity of the data contained within. Vectors like these have been seen in the past when exploited on other protocols, like HTTP2's predecessor HTTP with the Slowloris and Zero Window connection stressing.

Rather than us going into detail on each of the vulnerabilities, please see the write up provided by Netflix.

Vulnerability

CVE

Reporters 

Data Dribble

CVE-2019-9511

Jonathan Looney, Netflix

Ping Flood

CVE-2019-9512

Jonathan Looney, Netflix

Resource Loop

CVE-2019-9513

Jonathan Looney, Netflix

Reset Flood

CVE-2019-9514

Jonathan Looney, Netflix

Settings Flood

CVE-2019-9515

Jonathan Looney, Netflix

0-Length Headers Leak (Nginx variant)

CVE-2019-9516

Jonathan Looney, Netflix

Internal Data Buffering

CVE-2019-9517

Jonathan Looney, Netflix

Empty Frames Flood

CVE-2019-9518

Piotr Sikora, Google

Some Akamai services were impacted by this vulnerability, but all customer services have been patched. Akamai recommends that all Internet connected HTTP2 services be patched for these vulnerabilities as soon as possible. CDN customers that use Akamai and have up-to-date SiteShield lists should be protected from these vulnerabilities while their origin infrastructure is patched.

Akamai Wave Blue

Written by

Akamai

August 13, 2019

Akamai Wave Blue

Written by

Akamai

Related Blog Posts

A good bot management strategy will allow you to take action on one specific bot within a category.
A good bot management strategy will allow you to take action on one specific bot within a category.

Managing AI Bots as Part of Your Overall Bot Management Strategy

November 20, 2024
Learn about the potential impacts of AI bots and the importance of having a holistic bot management strategy.
by Ilia Bromberg and Christine Ferrusi Ross
Read more
A primary goal of Zero Trust is to minimize the attack surface — and microsegmentation is key to achieving this.
A primary goal of Zero Trust is to minimize the attack surface — and microsegmentation is key to achieving this.

Segmenting Hybrid Clouds: What to Look for in a Solution

November 19, 2024
Learn how to select a microsegmentation solution to fortify your organization’s cloud security strategies and protect your assets across multiple public clouds.
by Jacob Abrams
Read more
Proactive, holistic ransomware prevention and protection measures are crucial to your enterprise’s continued success.
Proactive, holistic ransomware prevention and protection measures are crucial to your enterprise’s continued success.

Five Ways to Prevent and Protect Against Ransomware Attacks

November 18, 2024
Ransomware is a pervasive threat to modern enterprises. Learn five key ransomware prevention strategies to protect your business, customers, and data.
by Jacob Abrams
Read more