August 15, 2019

HTTP/2 Denial of Service update

HTTP2

James Cline, Sr Software Dev Engineer

Verizon Media makes every effort to ensure that your web services remain 100% available. As such, we are informing you that the recent vulnerabilities associated with HTTP/2 on our network have been patched.

Netflix, Google, and CERT/CC worked together to inform the Internet community to expedite patching before the public announcement for CVE-2019-9511 through CVE-2019-9518.

While most of our systems were not vulnerable to these Denial of Service attacks, those that were vulnerable have been patched. We greatly appreciate the pre-announcement notification, which helps us protect our customers and ensure a reliable Internet for everyone.

Details

HTTP/2 is an update to the HTTP specification, which is fundamentally different in terms of the underlying technology. While HTTP used a simple, predominantly text-based system on top of TCP, HTTP/2 further adds its own connection multiplexing, window framing, and binary format.

The idea behind these vulnerabilities is to misuse a feature of HTTP/2. Among these vulnerabilities, a common theme is flooding a particular HTTP/2 message (e.g., the PING frame). The exploits arise based on the handling of these messages in the application. For example, if the application logs every PING frame, the system would be susceptible to high CPU usage and the depletion of system storage.

Mitigation

The majority of our services were not vulnerable to these issues. The services that were vulnerable were only vulnerable to one of the exploits, and have since been patched. No action is required by customers to mitigate these attacks for content that is served via our delivery network.

Contact us
Contact a rep
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Sales

Support

Manage your account or get tools and information.

More info