Summary
This table lists vendors and products affected by a set of vulnerabilities in HTTP/2 and QUIC implementations. For more information see vul note and researcher doc.
Matrix
| Vendor | Product | Version | Data Dribble | Ping Flood | Resource Loop | Reset Flood | Settings Flood | 0-Length Headers Leak (Nginx variant) | Internal Data Buffering | Empty Frames Flood |
|---|---|---|---|---|---|---|---|---|---|---|
| F5 | NGINX | 1.15.8 | Affected Addressed in | N | Y | N | N | Y | N | N |
| Go 1.12 (before Go 1.11.13 and Go 1.12.8) | N | Y | N | Y | N | N | N | N | ||
| Netty 4.1.27 | N | Y | N | Y | Y | |||||
| Apache 2.4.38 | N | N | N | N | N | Y | ||||
| Apache Tomcat 9.0.13 (w/ FreeBSD native library 1.2.16) | N | N | Borderline | N | N | N | ||||
| node.js 11.11.0 + libnghttp2 1.35.1 | Y | N | Y | Y | N | Y/N | N | |||
| Microsoft IIS | Y | Y | Y | Y | N | N | N | Y | ||
| gRPC C 1.21.0 | N | N | N | Y | Y | N | N | |||
| gRPC Java 1.21.0 (uses Netty) | N | N | N | N | Y | N | N | |||
| gRPC Go 1.21.0 | N | N | N | Y | Y | N | N | |||
| swift-nio-http2 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.4.0 | N | Y | N | Y | Y | Y | N | Y | ||
| hyper-2 (Python) | N | N | N | N | N | N | ||||
| Twisted 16.3.0, 16.3.1, 16.3.2, 16.4.0, 16.4.1, 16.5.0, 16.6.0, 17.1.0, 17.5.0, 17.9.0, 18.4.0, 18.7.0, 18.9.0, 19.2.0, 19.2.1, 19.7.0 | N | Y | N | Y | N | N | N | |||
| nghttp2 | Y | N | Y | N | N | N | N | |||
| Apache Traffic Server | N | Y | N | Y | Y | N | N | |||
| Envoy (all versions prior to 1.11.1) | N | Y | Y | Y | Y | N | N | Y | ||
| proxygen | N | Y | Y | Y | Y | N | N |
References
some urls?