Multiple HTTP/2 implementations are vulnerable to a variety of denial-of-service (DoS) attacks.
The Security Considerations section of RFC7540 discusses some of the considerations needed for HTTP/2 connections as they demand more resources to operate than HTTP/1.1 connections. While it generally covers expected behavior considerations, how to mitigate abnormal behavior is left to the implementer which can leave it open to the following weaknesses.
CVE-2019-9511, also known as Data Dribble
These attacks can consume excessive system resources, potentially enough that a single end-system could cause issues on multiple servers that may lead to Distributed DoS (DDoS) attacks.
Apply an update
Please see this matrix of affected products and vulnerabilities.
Thanks to Jonathan Looney of Netflix for reporting CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, and CVE-2019-9517.
Thanks to Piotr Sikora of Google, Envoy Security Team, for reporting CVE-2019-9518.
This document was written by Madison Oliver.