Allele Security Alert
mod_http2, DoS attack by exhausting h2 workers
The Apache Software Foundation
Apache HTTP Server
Apache HTTP Server versions 2.4.20 to 2.4.39
Apache HTTP Server version 2.4.41
Proof of concept
A malicious client could perform a DoS attack by flooding a connection with requests and basically never reading responses on the TCP connection. Depending on h2 worker dimensioning, it was possible to block those with relatively few connections.
Jonathan Looney (Netflix)
httpd 2.4 vulnerabilities – The Apache HTTP Server Project
CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers
Apache HTTP Server 2.4.41 Released
HTTP/2 Denial of Service Advisory
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 22, 2019