Multiple implementations of the HTTP/2 protocol are vulnerable to attacks that could consume sufficient resources to cause a denial-of-service (DoS) condition on unpatched servers.

The behavior can be triggered by exploiting vulnerabilities in servers that support HTTP/2 communication, which is 40.0% of all websites on the Internet today, according to current statistics from W3Techs.

Variants of the same theme

Today, a set of eight vulnerabilities have been disclosed that could lead to a DoS condition. Several vendors have already patched their systems to correct the faults.

They can be leveraged by a remote client. Some of them are significantly more severe than others as they could be used from a single end-system to impact multiple servers. The less efficient ones, though, can be leveraged in DDoS attacks.

Seven of the flaws were discovered by Jonathan Looney of Netflix and one by Piotr Sikora of Google. The full list with a description for each of them is available at the end of the article.

In an advisory today, Netflix says that all the attack vectors are variations of the same theme, where a client triggers a response from a vulnerable server and then refuses to read it.

Depending on how the server manages the queues, the client can then force it into using excessive memory and CPU for processing the incoming requests.

DoS attacks can cause servers to become unresponsive and deny visitors access to web pages. In a less severe case the pages could take longer to load.

A vulnerability note from the CERT Coordination Center shows an impressive matrix of vendors that may be affected by these DoS vulnerabilities.

The list includes big names like Amazon, Apache, Apple, Facebook, Microsoft, nginx, Node.js, and Ubuntu.

Vendors release patches

Some of them have already corrected the problems. Cloudflare announced fixes for seven of the vulnerabilities that impacted its Nginx servers responsible for HTTP/2 communication.

Threat actors have already started to exploit the vulnerabilities, as the company told BleepingComputer that it stifled some attempts.

"There are 6 different potential vulnerabilities here and we are monitoring for all of them. We have detected and mitigated a handful of attacks but nothing widespread yet." - CloudFlare

The corrections occurred before the coordinated disclosure as Cloudflare, along with other vendors, received an advance notification from Netflix about the DoS security risks.

Microsoft also released patches for five (1, 2, 3, 4, 5) of the DoS flaws that impact its HTTP/2 protocol stack (HTTP.sys).

The Nginx changelog for an update to mainline version 1.17.3 today informs of patching three of the DoS vulnerabilities. The stable version has also been updated to 1.16.1 to fix the same issues, as per its own changelog​​​​​​.

Apple also patched SwiftNIO application framework against five of the flaws that could impact macOS versions from Sierra 10.12 onward.