The Imperva HTTP/2 Vulnerability Report and NGINX

On August 3, Imperva – an Internet security company – announced four potential security vulnerabilities in the HTTP/2 protocol, and issued a detailed report evaluating a number of web servers against these vulnerabilities.

As shown in the table (from page 19 of the Imperva report), NGINX 1.9.9 performed comparatively well in Imperva’s tests, and was not affected by three of the four potential vulnerabilities. Attempts to exploit the remaining vulnerability, “Slow Read”, caused a resource leakage in NGINX and ultimately allowed a denial-of-service attack against HTTP/2 services.

Imperva listed webserver vulnerabilities for HTTP/2
Vulnerabilities exposed in leading web servers

The fault was reported to NGINX, and was resolved promptly in the NGINX 1.9.12 and NGINX Plus R9 releases. We are pleased to confirm that none of the current versions of NGINX software – NGINX Plus, NGINX ‘mainline’, NGINX ‘stable’ – are vulnerable to any of the potential attacks described by Imperva.

If you have implemented HTTP/2 and are using a version of our software earlier than NGINX 1.9.12 or NGINX Plus R9, update your software. HTTP/2 is a complex and relatively new protocol, so it is wise to run the latest software version at all times.

We suggest you review our best practices for tuning NGINX and NGINX Plus. The tuning in a default Linux configuration is often quite conservative, and changing some parameters can increase the capacity of your NGINX or NGINX Plus system.

The Problem

As of August 2016, HTTP/2 is currently in use on roughly 9% of all websites, including very popular sites such as FaceBook, Google, and Wikipedia. Content delivery network (CDN) providers that use NGINX and NGINX Plus often include HTTP/2 as part of their offerings.

The complex design of HTTP/2 means there are many possible avenues that researchers can explore to seek out design or implementation weaknesses. The Imperva reports describes four potential vulnerabilities in HTTP/2:

When Imperva tested various web servers to see if they exhibited vulnerabilities, a variation of their “Slow Read” test exposed a resource-leakage bug in NGINX and NGINX Plus. This resource leakage ultimately resulted in a denial of service.

NGINX and NGINX Plus are not generally vulnerable to “Slow Read” attacks (often known as Slowloris). Imperva’s test case helped us to isolate a previously reported resource leakage bug. We were then able to address this error case by adding additional timeouts and guards to ensure that HTTP/2 resources were closed and released correctly, and we were able to verify that these measures are effective.

Mitigation

We strongly recommend upgrading to the latest version of NGINX and NGINX Plus, especially if you have implemented HTTP/2 and are using NGINX 1.9.11 or earlier, or NGINX Plus R8 or earlier. The resource leakage bug exposed by Imperva’s test case is not exhibited by NGINX 1.9.12 and later or NGINX Plus R9 and later.

NGINX and NGINX Plus provide effective ways to defeat the relevant vulnerability described in the Imperva report, and upgrading to the latest release of either product eliminates the vulnerability entirely.

To reduce your site’s vulnerability in general, we also recommend that you take the actions outlined in our post on mitigating DDoS attacks, including:

  • Limiting the rate of requests from any single user (the limit_req directive)
  • Limiting the number of connections that can be opened by a single client (the limit_conn directive)
  • Closing connections more quickly with more aggressive timeouts

If you have any questions, please comment on this post – or, if you are an NGINX Plus subscriber, don’t hesitate to contact our support team for assistance.

Cover image
Microservices: From Design to Deployment
The complete guide to microservices development