Impact
The overly large HTTP/2 SETTINGS frame payload causes denial of service.
The proof of concept attack involves a malicious client
constructing a SETTINGS frame with a length of 14,400 bytes (2400
individual settings entries) over and over again. The attack
causes the CPU to spike at 100%.
Patches
nghttp2 v1.41.0 fixes this vulnerability.
Workarounds
There is a workaround to this vulnerability.
Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
References
The following commits mitigate this vulnerability:
Timeline
This vulnerability was originally reported by Gal Goldshtein.
Then it was reported by James M Snell to nghttp2 project on April 17.
For more information
If you have any questions or comments about this advisory:
Impact
The overly large HTTP/2 SETTINGS frame payload causes denial of service.
The proof of concept attack involves a malicious client
constructing a SETTINGS frame with a length of 14,400 bytes (2400
individual settings entries) over and over again. The attack
causes the CPU to spike at 100%.
Patches
nghttp2 v1.41.0 fixes this vulnerability.
Workarounds
There is a workaround to this vulnerability.
Implement nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of settings entries are large (e.g., > 32), then drop the connection.
References
The following commits mitigate this vulnerability:
Timeline
This vulnerability was originally reported by Gal Goldshtein.
Then it was reported by James M Snell to nghttp2 project on April 17.
For more information
If you have any questions or comments about this advisory: