4 Major Vulnerabilities Discovered In HTTP/2 Protocol - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // Security & Risk Strategy
10:05 AM

4 Major Vulnerabilities Discovered In HTTP/2 Protocol

Web administrators take note: The vulnerabilities Imperva discovered in the HTTP/2 protocol were reported to vendors, and patched versions are already available.

9 Promising Cloud Security Startups To Watch
9 Promising Cloud Security Startups To Watch
(Click image for larger view and slideshow.)

Cyber-security specialist Imperva released its latest "Hacker Intelligence Initiative (HII) Report" this week, which highlights the four major vulnerabilities in HTTP/2 -- the new version of the HTTP protocol that serves as one of the main building blocks of the internet.

In the research, the company found four different attack vectors, and was able to find an exploitable vulnerability in almost all of the new components of the HTTP/2 protocol.

The four different attack vectors Imperva discovered are Slow Read, HPACK (Compression), Dependency DoS, and Stream abuse.

The team took an in-depth look at HTTP/2 server implementations from Apache, Microsoft, NGINX, Jetty, and nghttp2. The security researchers discovered exploitable vulnerabilities in all major HTTP/2 mechanisms that it reviewed.

(Image: ahlobystov/iStockphoto)

(Image: ahlobystov/iStockphoto)

These include two that are similar to well known and widely exploited vulnerabilities in HTTP/1.x.

"All the vulnerabilities we discovered were reported to the vendors and patched versions are already available," Itsik Mantin, director of security research for Imperva, told InformationWeek. "In order to stay safe, web administrators need to make sure to use a version of their server that has this vulnerability fixed."

Mantin explained in order to win this patching race, application providers can either make sure to continuously get patches for the servers and all the third-party libraries they are using and install them in time, or use a web application firewall with virtual patching capabilities to provide ongoing protection to their applications.

He warned that, in addition to a direct financial loss, affected businesses should also take into account reputational damage, customer attrition, and legal pursuits that may have an even higher financial cost.

"This is especially concerning when it comes to web attacks, as the attacker can run the attack on hundreds or thousands of vulnerable applications from any point of the globe and without leaving his couch," Mantin said.

The HTTP/2 protocol was designed to be the next-generation protocol for web applications. Unlike the stopgap HTTP/1.x, the new protocol displays a complete technical makeover and introduces new significant mechanisms, but with its broader scope extends the attack surface and introduces new vulnerabilities into servers and clients.

The Imperva report noted it is likely that other implementations of the HTTP/2 protocol also suffer from these vulnerabilities.

[Read how many companies were vulnerable to ransomware in 2015.]

While the designers of HTTP/2 made a "significant effort" to identify and address security risks involved in the new protocol through design choices, the survey noted that implementations of HTTP/2 servers do not always follow these guidelines.

Imperva tested five popular servers and found all to be vulnerable to at least one attack, leading to the conclusion that other implementations of the protocol could suffer from these vulnerabilities, especially those that rely on external HTTP/2 libraries.

The report also cautions that many open source software code vendors share the same code and are therefore likely to have the same vulnerabilities.

This indicates vendors need to cooperate to mitigate vulnerabilities that make the work of patching things ever more lengthy and complicated.

"This research is pointing out once again that new technology brings new risks. When releasing new code into the wild, it is only a matter of time until new vulnerabilities are found and exploited," the report concluded. "The solution lies with an external component in the network that aims to reduce these risks."

Nathan Eddy is a freelance writer for InformationWeek. He has written for Popular Mechanics, Sales & Marketing Management Magazine, FierceMarkets, and CRN, among others. In 2012 he made his first documentary film, The Absent Column. He currently lives in Berlin. View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Flash Poll