Impact
H2O is vulnerable to the HTTP/2 Rapid Reset attack.
An attacker might be able to consume more than adequate amount of processing power of h2o and the backend servers by mounting the attack.
Patches
All commits up to cb9f500 are vulnerable.
The vulnerability is fixed by #3291. Users are advised to upgrade to commit 28fe151 or above that incorporates this pull request.
References
How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack
Impact
H2O is vulnerable to the HTTP/2 Rapid Reset attack.
An attacker might be able to consume more than adequate amount of processing power of h2o and the backend servers by mounting the attack.
Patches
All commits up to cb9f500 are vulnerable.
The vulnerability is fixed by #3291. Users are advised to upgrade to commit 28fe151 or above that incorporates this pull request.
References
How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack