Multiple HTTP/2 implementations are vulnerable to a variety of denial-of-service (DoS) attacks.
Netflix discovered several resource exhaustion vectors affecting a variety of third-party HTTP/2 implementations. These attack vectors can be used to launch DoS attacks against servers that support HTTP/2 communication.
Netflix worked with Google and CERT/CC to coordinate disclosure to the Internet community.
In most cases, an immediate workaround is to disable HTTP/2 support. However, this may cause performance degradation, and it might not be possible in all cases. To obtain software fixes, please contact your software vendor.
A number of vendors have announced patches to correct this suboptimal behaviour.
Further information regarding HTTP/2 can be found here.
Further information regarding this vulnerability can be found here.
|Please see this matrix of affected products and vulnerabilities.|