You are here

Home › Apache Webserver HTTP/2 DoS Attack

Apache Webserver HTTP/2 DoS Attack

Submitted on 6. December 2016 - 13:30 by rischi.
Last update on 19. January 2017 - 14:57.
IDs: 
CVE-2016-8740
Keywords: 
HTTP/2, DoS, Apache, httpd
Description: 

The HTTP/2 module mod_http2 in Apache HTTP server is affected by a denial of service vulnerability (CVE-2016-8740).

Airlock WAF 6.0 and earlier is not affected.
Airlock WAF 6.1 is affected if HTTP/2 support is enabled.

Details:

HTTP/2 support is available since Airlock WAF 6.1 and can be enabled in the virtual host by setting the checkbox Enable HTTP/2. By default HTTP/2 support is disabled.

By sending large amount of request header data, an attacker can increase memory and CPU consumption of the system. 

The Airlock team was able to write an exploit for this vulnerability consuming large amount of memory and CPU resources on systems that have HTTP/2 enabled.

Resolution: 

No action is required if HTTP/2 is disabled.

A hotfix is available for Airlock WAF 6.1 to fix the vulnerabiltiy in Apache HTTP Server.

Component: 
Airlock
Airlock Vulnerability Status: 
Airlock vulnerable, see resolution
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock
Reference: 
[1] Apache httpd 2.4 vulnerabilities
© Ergon Informatik AG