4 Major Vulnerabilities Discovered In HTTP/2 Protocol


Client computing is increasingly providing a back door into the enterprise for the compromise and

Web administrators take note: The vulnerabilities Imperva discovered in the HTTP/2 protocol were reported to vendors, and patched versions are already available.

Cyber-security specialist Imperva released its latest "Hacker Intelligence Initiative (HII) Report" this week, which highlights the four major vulnerabilities in HTTP/2 -- the new version of the HTTP protocol that serves as one of the main building blocks of the internet.

In the research, the company found four different attack vectors, and was able to find an exploitable vulnerability in almost all of the new components of the HTTP/2 protocol.

The four different attack vectors Imperva discovered are Slow Read, HPACK (Compression), Dependency DoS, and Stream abuse.

The team took an in-depth look at HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2. The security researchers discovered exploitable vulnerabilities in all major HTTP/2 mechanisms that it reviewed.

These include two that are similar to well known and widely exploited vulnerabilities in HTTP/1.x.

"All the vulnerabilities we discovered were reported to the vendors and patched versions are already available," Itsik Mantin, director of security research for Imperva, told InformationWeek. "In order to stay safe, web administrators need to make sure to use a version of their server that has this vulnerability fixed."

Mantin explained in order to win this patching race, application providers can either make sure to continuously get patches for the servers and all the third-party libraries they are using and install them in time, or use a web application firewall with virtual patching capabilities to provide ongoing protection to their applications.

He warned that, in addition to a direct financial loss, affected businesses should also take into account reputational damage, customer attrition, and legal pursuits that may have an even higher financial cost.

"This is especially concerning when it comes to web attacks, as the attacker can run the attack on hundreds or thousands of vulnerable applications from any point of the globe and without leaving his couch," Mantin said.

The HTTP/2 protocol was designed to be the next-generation protocol for web applications. Unlike the stopgap HTTP/1.x, the new protocol displays a complete technical makeover and introduces new significant mechanisms, but with its broader scope extends the attack surface and introduces new vulnerabilities into servers and clients.

The Imperva report noted it is likely that other implementations of the HTTP/2 protocol also suffer from these vulnerabilities.

[Read how many companies were vulnerable to ransomware in 2015.]

While the designers of HTTP/2 made a "significant effort" to identify and address security risks involved in the new protocol through design choices, the survey noted that implementations of HTTP/2 servers do not always follow these guidelines.

Imperva tested five popular servers and found all to be vulnerable to at least one attack, leading to the conclusion that other implementations of the protocol could suffer from these vulnerabilities, especially those that rely on external HTTP/2 libraries.

The report also cautions that many open source software code vendors share the same code and are therefore likely to have the same vulnerabilities.

This indicates vendors need to cooperate to mitigate vulnerabilities that make the work of patching things ever more lengthy and complicated.

"This research is pointing out once again that new technology brings new risks. When releasing new code into the wild, it is only a matter of time until new vulnerabilities are found and exploited," the report concluded. "The solution lies with an external component in the network that aims to reduce these risks."

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Tuesday Poll: Do You Play Mobile Games?

    In 2016, there have been a couple games to gain a lot of traction, the top being Pokemon GO, of course.Do you even mobile game, bro?
  • 5300c769af79e

    The FAA may ban Samsung’s exploding Galaxy Note 7 from U.S. flights

    For that very reason, the Federal Aviation Administration (FAA) appears to have Samsung’s just-launched Galaxy Note 7 in its sights.The American regulatory agency is understandably concerned about recent reports of at least 35 Note 7 devices catching fire without warning after the battery apparently overheated while charging.
  • 5300c769af79e

    Video: Google Assistant on the Pixel

    You know that already, of course, because Google started off its October 4 Pixel event by talking about the Assistant and AI for a good 15 minutes before ever announcing a thing.This is the future of Google’s software advancements and with it front and center on their new phones (soon Google Home too), it’ll only get better, smarter, and more valuable the more you use it.
  • 5300c769af79e

    Oracle VP Des Cahill: Get in Tune With Your Customer

    In this exclusive interview, CRM Buyer discusses with Cahill the evolution of customer experience management.Des Cahill: We're in an era of the empowered consumer, and the empowered consumer is a social amplifier.