Discover Centmin Mod today
Register Now

Nginx HTTP/2 Flaws - Slow Read, HPACK Bomb, Dependency Cycle Attack & Stream Multiplexing Abuse

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Aug 4, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    May 24, 2014
    Brisbane, Australia
    Local Time:
    11:39 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    Seems Imperva researchers discovered that HTTP/2 protocol has some vulnerabilities 4 Flaws hit HTTP/2 Protocol that could allow Hackers to Disrupt Servers

    HTTP/2 flaws

    • Slow Read (CVE-2016-1546)
    • HPACK Bomb (CVE-2016-1544, CVE-2016-2525)
    • Dependency Cycle Attack (CVE-2015-8659)
    • Stream Multiplexing Abuse (CVE-2016-0150)
    Alot of the media seem to have left out specific web server versions vulnerable to these HTTP/2 flaws, so it isn't clear if Nginx, Apache, nghttp2, IIS and Jetty already have patched or fixes these yet ? For instance, the flaws were fixed in nghttp2 1.7.0. While latest nghttp2 is way higher at 1.13 stable and 1.14+ dev Releases · nghttp2/nghttp2 · GitHub

    But if you go to the original Imperva pdf results you get a clearer picture and that Nginx 1.9.9 (December 2015) and below <1.9.9 was only vulnerable to HTTP/2 Slow Read CVE-2016-1546. That Nginx version is ancient ! Centmin Mod's Nginx build is currently on Nginx 1.11.3 - so if you haven't updated do so !






    Other info
    Last edited: Aug 5, 2016