HTTP/2 Security Vulnerabilities

241 views

Skip to first unread message

Doug Fawley

unread,

Aug 13, 2019, 7:55:47 PM8/13/19

to grpc.io

Eight new DoS vulnerabilities in HTTP/2 implementations were disclosed today, as detailed by CERT Vulnerability Note VU#605641. gRPC implementations were potentially impacted by the following: CVE-2019-9512 (Ping Flood), CVE-2019-9514 (Reset Flood), CVE-2019-9515 (Settings Flood).

The following versions of gRPC contain fixes to these CVEs:

gRPC-Go: 1.23.0, 1.22.2, 1.21.3

Original fix: grpc/grpc-go#2970)

gRPC-Java: 1.23.0, 1.22.2, 1.21.1

(These releases are currently available but may not be indexed on search.maven.org.)
Original fix: grpc/grpc-java#6056

gRPC-C and wrapped languages: 1.23.0, 1.22.1

(Releases currently in progress.)
Original fix: grpc/grpc#19924

We recommend updating to one of these releases as soon as possible.

Reply all

Reply to author

Forward

0 new messages