DoS via Unlimited Stream Insertion

Hyper Project security advisory, August 4th 2016.

Vulnerability

A HTTP/2 implementation built using the priority library could be targetted by a malicious peer by having that peer assign priority information for every possible HTTP/2 stream ID. The priority tree would happily continue to store the priority information for each stream, and would therefore allocate unbounded amounts of memory. Attempting to actually use a tree like this would also cause extremely high CPU usage to maintain the tree.

We are not aware of any active exploits of this vulnerability, but as this class of attack was publicly described in this report, users should assume that they are at imminent risk of this kind of attack.

Info

This issue has been given the name CVE-2016-6580.

Affected Versions

This issue affects all versions of the priority library prior to 1.2.0.

The Solution

In version 1.2.0, the priority library limits the maximum number of streams that can be inserted into the tree. By default this limit is 1000, but it is user-configurable.

If it is necessary to backport a patch, the patch can be found in this GitHub pull request.

Recommendations

We suggest you take the following actions immediately, in order of preference:

  1. Update priority to 1.2.0 immediately, and consider revising the maximum number of streams downward to a suitable value for your application.
  2. Backport the patch made available on GitHub.
  3. Manually enforce a limit on the number of priority settings you’ll allow at once.

Timeline

This class of vulnerability was publicly reported in this report on the 3rd of August. We requested a CVE ID from Mitre the same day.

Priority 1.2.0 was released on the 4th of August, at the same time as the publication of this advisory.