Mailing List Archive

CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers
CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers.

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.20 to 2.4.39

Description:
A malicious client could perform a DoS attack by flooding
a connection with requests and basically never reading responses
on the TCP connection. Depending on h2 worker dimensioning, it was
possible to block those with relatively few connections.

Mitigation:
All httpd users deploying mod_http2 should upgrade to 2.4.40 or later.
Unpatched servers can disable HTTP/2 protocol.

Credit:
The issue was discovered by Jonathan Looney of Netflix.

References:
https://httpd.apache.org/security/vulnerabilities_24.html