ASA-2019-00516 – Apache HTTP Server: mod_http2, DoS attack by exhausting h2 workers

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00516

Identifier(s)

ASA-2019-00516, CVE-2019-9517

Title

mod_http2, DoS attack by exhausting h2 workers

Vendor(s)

The Apache Software Foundation

Product(s)

Apache HTTP Server

Affected version(s)

Apache HTTP Server versions 2.4.20 to 2.4.39

Fixed version(s)

Apache HTTP Server version 2.4.41

Proof of concept

Unknown

Description

A malicious client could perform a DoS attack by flooding a connection with requests and basically never reading responses on the TCP connection. Depending on h2 worker dimensioning, it was possible to block those with relatively few connections.

Technical details

Unknown

Credits

Jonathan Looney (Netflix)

Reference(s)

httpd 2.4 vulnerabilities – The Apache HTTP Server Project
https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers
https://seclists.org/oss-sec/2019/q3/142

Apache HTTP Server 2.4.41 Released
https://www.apache.org/dist/httpd/Announcement2.4.html

HTTP/2 Denial of Service Advisory
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

CVE-2019-9517
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9517

CVE-2019-9517
https://nvd.nist.gov/vuln/detail/CVE-2019-9517

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: August 22, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.