Welcome! Log In Create A New Profile

Advanced

HTTP2 SETTINGS FRAME Denial of Service

Previous Message Next Message
Forum List Message List New Topic Print View
jbiskofski
April 19, 2020 12:06PM
Hello everyone.

I need to pass a security audit, For a PCI compliance process.

A scan was performed on my servers and found a vulnerability in nginx
"HTTP2 SETTINGS FRAME Denial of Service"

I upgraded nginx to the latest stable 1.16.1 which supposedly fixes that
issue. see :
https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html

But the security scan is still reporting the same problem.
The scan report ends with - "technical details : sent HTTP2 request with 20
SETTINGS and received a valid response"

I do have http2 enabled, and need it to stay enabled.

Can someone please point me in the right direction about how to fix this. I
have a few questions.
Can I disable that "20 SETTINGS" request somehow?
Will that mess up my http2 connections?
Is there some other solution?
Should I try to update to mainline?

Here is the output of my nginx -V

nginx version: nginx/1.16.1
built by clang 6.0.0 (tags/RELEASE_600/final 326565) (based on LLVM 6.0.0)
built with OpenSSL 1.0.2o-freebsd 27 Mar 2018
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
--with-http_v2_module

thanks!

- Jose
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

HTTP2 SETTINGS FRAME Denial of Service

jbiskofski April 19, 2020 12:06PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 305
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready