DoS via Unlimited Stream Insertion¶
Hyper Project security advisory, August 4th 2016.
A HTTP/2 implementation built using the priority library could be targetted by a malicious peer by having that peer assign priority information for every possible HTTP/2 stream ID. The priority tree would happily continue to store the priority information for each stream, and would therefore allocate unbounded amounts of memory. Attempting to actually use a tree like this would also cause extremely high CPU usage to maintain the tree.
We are not aware of any active exploits of this vulnerability, but as this class of attack was publicly described in this report, users should assume that they are at imminent risk of this kind of attack.
This issue has been given the name CVE-2016-6580.
This issue affects all versions of the priority library prior to 1.2.0.
In version 1.2.0, the priority library limits the maximum number of streams that can be inserted into the tree. By default this limit is 1000, but it is user-configurable.
If it is necessary to backport a patch, the patch can be found in this GitHub pull request.
We suggest you take the following actions immediately, in order of preference:
- Update priority to 1.2.0 immediately, and consider revising the maximum number of streams downward to a suitable value for your application.
- Backport the patch made available on GitHub.
- Manually enforce a limit on the number of priority settings you’ll allow at once.