You are here

Apache Webserver HTTP/2 DoS Attack

HTTP/2, DoS, Apache, httpd

The HTTP/2 module mod_http2 in Apache HTTP server is affected by a denial of service vulnerability (CVE-2016-8740).

Airlock WAF 6.0 and earlier is not affected.
Airlock WAF 6.1 is affected if HTTP/2 support is enabled.


HTTP/2 support is available since Airlock WAF 6.1 and can be enabled in the virtual host by setting the checkbox Enable HTTP/2. By default HTTP/2 support is disabled.

By sending large amount of request header data, an attacker can increase memory and CPU consumption of the system. 

The Airlock team was able to write an exploit for this vulnerability consuming large amount of memory and CPU resources on systems that have HTTP/2 enabled.


No action is required if HTTP/2 is disabled.

A hotfix is available for Airlock WAF 6.1 to fix the vulnerabiltiy in Apache HTTP Server.

Airlock Vulnerability Status: 
Airlock vulnerable, see resolution
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock