CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers.
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.20 to 2.4.39
Description:
A malicious client could perform a DoS attack by flooding
a connection with requests and basically never reading responses
on the TCP connection. Depending on h2 worker dimensioning, it was
possible to block those with relatively few connections.
Mitigation:
All httpd users deploying mod_http2 should upgrade to 2.4.40 or later.
Unpatched servers can disable HTTP/2 protocol.
Credit:
The issue was discovered by Jonathan Looney of Netflix.
References:
https://httpd.apache.org/security/vulnerabilities_24.html
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.20 to 2.4.39
Description:
A malicious client could perform a DoS attack by flooding
a connection with requests and basically never reading responses
on the TCP connection. Depending on h2 worker dimensioning, it was
possible to block those with relatively few connections.
Mitigation:
All httpd users deploying mod_http2 should upgrade to 2.4.40 or later.
Unpatched servers can disable HTTP/2 protocol.
Credit:
The issue was discovered by Jonathan Looney of Netflix.
References:
https://httpd.apache.org/security/vulnerabilities_24.html