Netflix security team in cooperation with Google, CERT / CC, disclosed distributed HTTP / 2 protocol implementations of denial of service vulnerabilities in a variety of middleware services. We found that (today repair) of many key attack vector is a variant: a malicious client asks the server to do some response behavior, but the client refused to read the response. This will test the queue management code server. The server services the queues, the client can force it consumes too much memory and CPU in processing the request.
CVE-2019-9511
An attacker requesting large amounts of data from a plurality of streams by the specified resource. They manipulate the window size and stream priority to force the server in the form of 1-byte data block queue. According to this data queued efficiency, which may consume excessive CPU, memory, or both, which may lead to a denial of service.
CVE-2019-9512
Ping to the attacker sends a continuous HTTP / 2 peer, peer constructs leading to internal response queue. According to this data queued efficiency, which may consume excessive CPU, memory, or both, which may lead to a denial of service.
CVE-2019-9513
Attacker creates multiple requests streams, and in a way that results in a huge loss of priority tree is constantly changing priority flows. This may consume excessive CPU, it may lead to a denial of service.
CVE-2019-9514
An attacker open multiple streams, and sends a request on each valid flow, the flow request should request RST_STREAM frame from a peer. Peer how RST_STREAM frame queues according to which consumes too much memory, CPU, or both, which may lead to a denial of service.
CVE-2019-9515
SE TTINGS attacker sends a stream of frames to the peer. Since RFC requirement peer SETTINGS each frame has a return acknowledgment, the empty SETTINGS ping frame in substantially the same behavior. According to this data queued efficiency, which may consume excessive CPU, memory, or both, which may lead to a denial of service.
CVE-2019-9516
0 attacker sends a header with a length header length of the header name and the value 0 stream, optionally the Huffman coding header 1 byte or more. Some implementations until the session is terminated and the distribution of these head allocate memory remains active. This may consume too much memory, it may lead to a denial of service.
CVE-2019-9517
An attacker opened HTTP / 2 window, so you can send unlimited peers; however, they will make the TCP window is closed, so the peer can not actually write the way online (many) bytes. Then, the attacker sends a large stream in response to a request object. Depending on how the server response queues, which may consume too much memory, CPU, or both, which may lead to a denial of service.
CVE-2019-9518
An attacker sends an empty load and no flow stream having a frame end flag. These frames can be DATA, HEADERS, CONTINUATION and / or PUSH_PROMISE. Peer takes time to process each frame and the bandwidth disproportionate attack. This may consume excessive CPU, it may lead to a denial of service.
Nginx has been confirmed affected, and has released updated this vulnerability.