4 Major Vulnerabilities Discovered In HTTP/2 Protocol


Web administrators take note: The vulnerabilities Imperva discovered in the HTTP/2 protocol were reported to vendors, and patched versions are already available.

Cyber-security specialist Imperva released its latest "Hacker Intelligence Initiative (HII) Report" this week, which highlights the four major vulnerabilities in HTTP/2 -- the new version of the HTTP protocol that serves as one of the main building blocks of the internet.

In the research, the company found four different attack vectors, and was able to find an exploitable vulnerability in almost all of the new components of the HTTP/2 protocol.

The four different attack vectors Imperva discovered are Slow Read, HPACK (Compression), Dependency DoS, and Stream abuse.

The team took an in-depth look at HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2. The security researchers discovered exploitable vulnerabilities in all major HTTP/2 mechanisms that it reviewed.

These include two that are similar to well known and widely exploited vulnerabilities in HTTP/1.x.

"All the vulnerabilities we discovered were reported to the vendors and patched versions are already available," Itsik Mantin, director of security research for Imperva, told InformationWeek. "In order to stay safe, web administrators need to make sure to use a version of their server that has this vulnerability fixed."

Mantin explained in order to win this patching race, application providers can either make sure to continuously get patches for the servers and all the third-party libraries they are using and install them in time, or use a web application firewall with virtual patching capabilities to provide ongoing protection to their applications.

He warned that, in addition to a direct financial loss, affected businesses should also take into account reputational damage, customer attrition, and legal pursuits that may have an even higher financial cost.

"This is especially concerning when it comes to web attacks, as the attacker can run the attack on hundreds or thousands of vulnerable applications from any point of the globe and without leaving his couch," Mantin said.

The HTTP/2 protocol was designed to be the next-generation protocol for web applications. Unlike the stopgap HTTP/1.x, the new protocol displays a complete technical makeover and introduces new significant mechanisms, but with its broader scope extends the attack surface and introduces new vulnerabilities into servers and clients.

The Imperva report noted it is likely that other implementations of the HTTP/2 protocol also suffer from these vulnerabilities.

[Read how many companies were vulnerable to ransomware in 2015.]

While the designers of HTTP/2 made a "significant effort" to identify and address security risks involved in the new protocol through design choices, the survey noted that implementations of HTTP/2 servers do not always follow these guidelines.

Imperva tested five popular servers and found all to be vulnerable to at least one attack, leading to the conclusion that other implementations of the protocol could suffer from these vulnerabilities, especially those that rely on external HTTP/2 libraries.

The report also cautions that many open source software code vendors share the same code and are therefore likely to have the same vulnerabilities.

This indicates vendors need to cooperate to mitigate vulnerabilities that make the work of patching things ever more lengthy and complicated.

"This research is pointing out once again that new technology brings new risks. When releasing new code into the wild, it is only a matter of time until new vulnerabilities are found and exploited," the report concluded. "The solution lies with an external component in the network that aims to reduce these risks."

0 Comment

Leave a Reply

Captcha image


  • 5300c769af79e

    Productivity & Collaboration Apps News, Analysis, & Advice

    Jessica DavisBy Senior Editor, Enterprise Apps, 4/21/2016ReadPost a Comment Skype users on Apple's Mac machines and the Web can now interact with bots from Microsoft.Kelly SheridanBy Associate Editor, InformationWeek, 4/19/2016ReadPost a Comment This is a great rundown of email apps.
  • 5300c769af79e

    Agile Infrastructure Monitoring for the Application Economy

    You're seeing the impact of this in your organization---from the increased expectations of customers for access to always-available applications, to internal departments and teams that depend on a reliable infrastructure to support fast application development and deployment.Against a backdrop of growing big data initiatives, this situation significantly adds to your infrastructure management requirements.
  • 5300c769af79e

    LG V20 Will be Announced on September 6

    The LG V20, LG’s next flagship phone that will also be the first phone to run Android Nougat out of the box, will be unveiled on September 6 at an event in San Francisco.LG announced the news via its “social” blog without mentioning other details, outside of a “second story begins” theme that is in reference to this being the 2nd “V” phone.
  • 5300c769af79e

    10 Tools For Effective DevOps Collaboration

    Here are 10 tools that can help make it easier (or possible) for your teams to work together.Fortunately, there have never been more tools available for teams to use or more aspects of collaboration covered by those tools.