...
For feedback on this matrix, send mail to cert@cert.org with VU#605641 in the subject.
Matrix
The list of vendors and products is not complete. It primarily contains original implementations of HTTP/2 from organizations involved in the coordinated vulnerability disclosure process.
Vendor | Product | Version Information | Data Dribble | Ping Flood | Resource Loop | Reset Flood | Settings Flood | 0-Length Headers Leak | Internal Data Buffering | Empty Frames Flood | |||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Apachehttpd | Apache HTTP Server | 2.4.38 | N | N | N | N | N | tested | Not affected | Not affected | Not affected | ? | Not affected | Not affected | Affected | ?Y | |||||||||||||||||||||||||||||||
Apache | Tomcat | 9.0.13 (using FreeBSD native library 1.2.16) | N | and presumably earlier are vulnerable | Not affected | Not affectedN | Affected* https://markmail.org/message/konb64olyan5ye6t * just a little | N | N | N | Not affected | Not affected | Not affected | Not affected | Not affected | ||||||||||||||||||||||||||||||||
Apache | Traffic Server | ? | Not affected | Affected | Not affected | Affected | Affected | Not affected | Not affected | ? | |||||||||||||||||||||||||||||||||||||
Apple | macOS X | macOS X Sierra 10.12 and later are vulnerable Uses SwiftNIO | Not affected | Affected | Not affected | Affected | Affected | Affected | Not affected | Affected | |||||||||||||||||||||||||||||||||||||
Envoy | Envoy | Fixed in 1.11.1 | Not affected | Affected https://groups.google.com/forum/#!topic/envoy-announce/ZLchtraPYVk | Affected https://groups.google.com/forum/#!topic/envoy-announce/ZLchtraPYVk | Affected https://groups.google.com/forum/#!topic/envoy-announce/ZLchtraPYVk | Affected https://groups.google.com/forum/#!topic/envoy-announce/ZLchtraPYVk | Not affected | Not affected | Affected https://groups.google.com/forum/#!topic/envoy-announce/ZLchtraPYVk | |||||||||||||||||||||||||||||||||||||
F5 | nginx NGINX Plus | nginx | F5 | NGINX | 1.9.5 - 1.17.2 are vulnerable | Fixed in 1. | 6116.1 | and (stable), 1.17.3 (mainline), and NGINX Plus R18 P1 | Affected http://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ | Not affected | Affected http://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ | Not affected | Not affected | AffectedFixed in 1.61.1 and 1.17.3 http://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ | Not affected | Not affected | |||||||||||||||||||||||||||||||
Proxygen | ? | Not affected | Affected | Affected | Affected | Affected | Not affected | Not affected | ? | ||||||||||||||||||||||||||||||||||||||
Go net/http x/net/http2 | Fixed in Go 1. | 6112.8 and 1.11.13 Fixed in x/net/http2 v0.0.0-20190813141303-74dc4d7220e7 | Not affected | Affected https://groups.google.com/forum/#!msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ | Not affected | Affected https://groups.google.com/forum/#!msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ | Not affected | Not affected1 and 1.17.3http://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html | Not affected | Not affected | |||||||||||||||||||||||||||||||||||||
gRPC C | Go 1.12 (before Go 1.11.13 and Go 1.12.8) | N | Y | N | Y | N | N | N | N | 1.21.0 | Not affected | Not affected | Not affected | Affected | Affected | Not affected | Not affected | ? | |||||||||||||||||||||||||||||
gRPC Java | 1.21.0 Uses Netty | Not affected | Not affected | Not affected | Not affected | Affected | Not affected | ? | |||||||||||||||||||||||||||||||||||||||
gRPC Go | 1.21.0 | Not affected | Not affected | Not affected | Affected | Affected | Not affected | Not affected | ? | ||||||||||||||||||||||||||||||||||||||
H2O Project | H2O | Fixed in 2.2.6 and 2.3.0 beta2 | Not affected | Affected | Netty Project | Netty | 4.1.27 | Not affected | Affected | Affected | Not affected | Not affected | Not affected | ||||||||||||||||||||||||||||||||||
HAProxy | HAProxy | 1.8 to 2.1-dev are not affected https://www.mail-archive.com/haproxy@formilux.org/msg34717.html | Not affected | Not affected | Not affected | Not affected | Not affected | Not affected | Not affected | Not affected | |||||||||||||||||||||||||||||||||||||
Hyper | Hyper: HTTP/2 for Python | https://python-hyper.org/en/latest/security.html | Not affected | Not affected | Not affected | Not affected | Not affected | Not affected | Not affected | Not affected | |||||||||||||||||||||||||||||||||||||
Istio | Istio | Fixed in 1.1.13 and 1.2.4 Uses Envoy | netty.io/news/2019/08/13/4-1-39-Final.htmlNot affected | Affected ISTIO-SECURITY-2019-004 | netty/news/2019/08/13/4-1-39-Final.html | Affected ISTIO-SECURITY-2019-004 | Affected ISTIO-SECURITY-2019-004 | netty | /news/2019/08/13/4-1-39-Final.html | Affected ISTIO-SECURITY-2019-004 | Not affected | Not affected | Affected ISTIO-SECURITY-2019-004 | nettynews | 08/13/4-1-39-Final.html | Node.js Project | Node.js | ||||||||||||||||||||||||||||||
LiteSpeed | LSWS ADC OpenLiteSpeed | Fixed in:
| Not affected8, 10, and 12 | Affected | nodejsorg | en | blog | vulnerability/aug-2019-security-releases | Not affected | Not affected | Affected | nodejsorg | en | blog | vulnerability/aug-2019-security-releases | Affected | nodejsorg | en | blog | vulnerability/aug-2019-security-releases | Not affected | Affected https://blog.litespeedtech.com/2019/08/15/litespeed-addresses-http-2-dos-advisories/ | |||||||||||||||||||||||||
? | Not affected | ? | Microsoft | Windows Internet Information Server (IIS) | Windows 10 Windows Server 2016 and 2019 Windows Server, version 1803 and version 1903 | Affected https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-9511 | Affected https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-9512 | Affected https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-9513 | Affected https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-9514 | Not affected | Not affected | NNot affected | Affected https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-9518 | ||||||||||||||||||||||||||||||||||
Netty Project | Netty | 4.1.27 and presumably prior are vulnerable Fixed in 4.1.39 | gRPC C 1.21.0 | N | N | N | Y | Y | N | N | gRPC Java 1.21.0 (uses Netty) | N | N | N | N | Y | N | N | gRPC Go 1.21.0 | N | N | N | Y | Y | N | N | Swift | SwiftNIO HTTP/2 (swift-nio-http2) | 1.0.0 and 1.4.0 inclusive | Not affected | Affected https://forums.swift.org/t/swiftnio-http-2-security-notice/27855netty.io/news/2019/08/13/4-1-39-Final.html | Not affected | Affected https://forums.swift.org/t/swiftnio-http-2-security-notice/27855netty.io/news/2019/08/13/4-1-39-Final.html | Affected https://forumsnetty.swift.orgio/t/swiftnio-http-2-security-notice/27855Affected https://forums.swift.org/t/swiftnio-http-2-security-notice/27855news/2019/08/13/4-1-39-Final.html | Not affected | Not affected | Affected https://forums.swift.org/t/swiftnio-http-2-security-notice/27855Y | hyper-2 (Python) | N | N | N | N | N | N | netty.io/news/2019/08/13/4-1-39-Final.html | ||
nghttp2 | HTTP/2 C Library | Prior to 1.39.2 are vulnerable Fixed in 1.39.2 | Twisted 16.3.0, 16.3.1, 16.3.2, 16.4.0, 16.4.1, 16.5.0, 16.6.0, 17.1.0, 17.5.0, 17.9.0, 18.4.0, 18.7.0, 18.9.0, 19.2.0, 19.2.1, 19.7.0 | N | Y | N | Y | N | N | N | nghttp2 | Y | N | Y | N | N | N | N | Apache Traffic Server | N | Y | N | Y | Y | N | N | Envoy | Envoy | Prior to 1.11.1 | Not affected | Affected | groupsgoogle. | forum | #!topic/envoy-announce/ZLchtraPYVk | Not affected | Affected | groupsgoogle. | forum | #!topic/envoy-announce/ZLchtraPYVk | Not affected | Not affected | Not affected | Not affected | Not affected | |||
Node.js Project | Node.js | 8, 10, and 12 are vulnerable | Affected https://groups.google.com/forum/#!topic/envoy-announce/ZLchtraPYVk | proxygen | N | Y | Y | Y | Y | N | N | H2O Project | H2O | Fixed in 2.2.6 and 2.3.0 beta2 | Not affected | Affected | githubcom | h2o | h2o/issues/2090 | Not affected | Affected | githubcom | h2o | h2o/issues/2090 | Affected | githubcom | h2o | h2o/issues/2090 | Not affected | Not affected? | Not affected | Istio? | Istio | ||||||||||||||
Swift | SwiftNIO HTTP/2 (swift-nio-http2) | 1.0.0 - 1.4.0 are vulnerable | Not affected | Affected | istio | io | blog/2019/istio | 003-004/ | Not affected | Affected | istioio | blog/2019/istio | 003-004 | Affected | istioio | blog/2019/istio | 003-004/ | Affected | istioio | blog/2019/istio | 003-004 | Not affected | Affected | istioio | blog/2019/istio | 003-004/ | |||||||||||||||||||||
Twisted Matrix Labs | Twisted | 16.3.0 - 19.7.0 are vulnerable | Not affected | Affected | Not affected | Affected | Affected | Not affected | Not affected | Not affected |
Other References
https://blog.cloudflare.com/on-the-recent-http-2-dos-attacks/
https://blogs.akamai.com/sitr/2019/08/http2-vulnerabilities.html
https://news.ycombinator.com/item?id=20688178