Nginx HTTP/2 Flaws - Slow Read, HPACK Bomb, Dependency Cycle Attack & Stream Multiplexing Abuse

Seems Imperva researchers discovered that HTTP/2 protocol has some vulnerabilities 4 Flaws hit HTTP/2 Protocol that could allow Hackers to Disrupt Servers

HTTP/2 flaws

• Slow Read (CVE-2016-1546)
• HPACK Bomb (CVE-2016-1544, CVE-2016-2525)
• Dependency Cycle Attack (CVE-2015-8659)
• Stream Multiplexing Abuse (CVE-2016-0150)

Alot of the media seem to have left out specific web server versions vulnerable to these HTTP/2 flaws, so it isn't clear if Nginx, Apache, nghttp2, IIS and Jetty already have patched or fixes these yet ? For instance, the flaws were fixed in nghttp2 1.7.0. While latest nghttp2 is way higher at 1.13 stable and 1.14+ dev Releases · nghttp2/nghttp2 · GitHub

But if you go to the original Imperva pdf results you get a clearer picture and that Nginx 1.9.9 (December 2015) and below <1.9.9 was only vulnerable to HTTP/2 Slow Read CVE-2016-1546. That Nginx version is ancient ! Centmin Mod's Nginx build is currently on Nginx 1.11.3 - so if you haven't updated do so !

---

Other info

• Web Server Makers Plug Four Security Holes in HTTP/2 Protocol Implementation
• Severe vulnerabilities discovered in HTTP/2 protocol | ZDNet
• High-Profile Vulnerabilities Affect HTTP/2 | SecurityWeek.Com