The Security Considerations section of RFC7540 discusses some of the considerations needed for HTTP/2 connections as they demand more resources to operate than HTTP/1.1 connections. While it generally covers expected behavior considerations,how to mitigate abnormal behavior is left to the implementer which can leave it open to the following weaknesses. CVE-2019-9511,also known as Data Dribble The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9512,also known as Ping Flood The attacker sends continual pings to an HTTP/2 peer,causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued,this can consume excess CPU,memory,or both,potentially leading to a denial of service. CVE-2019-9513,also known as Resource Loop The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU,potentially leading to a denial of service. CVE-2019-9514,also known as Reset Flood The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames,this can consume excess memory,CPU,or both,potentially leading to a denial of service. CVE-2019-9515,also known as Settings Flood The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame,an empty ..
Support the originator by clicking the read the rest link below.
