Want to subscribe to topics you're interested in?
Become a Member

Nginx HTTP/2 Flaws - Slow Read, HPACK Bomb, Dependency Cycle Attack & Stream Multiplexing Abuse

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Aug 4, 2016.

  1. eva2000

    eva2000 Administrator Staff Member

    55,805
    12,272
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,858
    Local Time:
    10:51 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Seems Imperva researchers discovered that HTTP/2 protocol has some vulnerabilities 4 Flaws hit HTTP/2 Protocol that could allow Hackers to Disrupt Servers

    HTTP/2 flaws


    • Slow Read (CVE-2016-1546)
    • HPACK Bomb (CVE-2016-1544, CVE-2016-2525)
    • Dependency Cycle Attack (CVE-2015-8659)
    • Stream Multiplexing Abuse (CVE-2016-0150)
    Alot of the media seem to have left out specific web server versions vulnerable to these HTTP/2 flaws, so it isn't clear if Nginx, Apache, nghttp2, IIS and Jetty already have patched or fixes these yet ? For instance, the flaws were fixed in nghttp2 1.7.0. While latest nghttp2 is way higher at 1.13 stable and 1.14+ dev Releases · nghttp2/nghttp2 · GitHub

    But if you go to the original Imperva pdf results you get a clearer picture and that Nginx 1.9.9 (December 2015) and below <1.9.9 was only vulnerable to HTTP/2 Slow Read CVE-2016-1546. That Nginx version is ancient ! Centmin Mod's Nginx build is currently on Nginx 1.11.3 - so if you haven't updated do so !


    upload_2016-8-4_23-56-18.png

    upload_2016-8-4_23-54-25.png

    upload_2016-8-4_23-56-59.png

    upload_2016-8-4_23-57-36.png

    upload_2016-8-4_23-58-5.png

    Other info
     
    Last edited: Aug 5, 2016