Today, multiple Denial of Service (DoS) vulnerabilities were disclosed for a number of HTTP/2 server implementations. Cloudflare uses NGINX for HTTP/2. Customers using Cloudflare are already protected against these attacks.

The individual vulnerabilities, originally discovered by Netflix and are included in this announcement are:

• CVE-2019-9511 HTTP/2 Data Dribble

• CVE-2019-9512 HTTP/2 Ping Flood

• CVE-2019-9513 HTTP/2 Resource Loop

• CVE-2019-9514 HTTP/2 Reset Flood

• CVE-2019-9515 HTTP/2 Settings Flood

• CVE-2019-9516 HTTP/2 0-Length Headers Leak

• CVE-2019-9518 HTTP/2 Request Data/Header Flood

As soon as we became aware of these vulnerabilities, Cloudflare’s Protocols team started working on fixing them. We first pushed a patch to detect any attack attempts and to see if any normal traffic would be affected by our mitigations. This was followed up with work to mitigate these vulnerabilities; we pushed the changes out few weeks ago and continue to monitor similar attacks on our stack.

If any of our customers host web services over HTTP/2 on an alternative, publicly accessible path that is not behind Cloudflare, we recommend you apply the latest security updates to your origin servers in order to protect yourselves from these HTTP/2 vulnerabilities.

We will soon follow up with more details on these vulnerabilities and how we mitigated them.

Full credit for the discovery of these vulnerabilities goes to Jonathan Looney of Netflix and Piotr Sikora of Google and the Envoy Security Team.