Open blatyo opened 5 years ago
CrowdHailer
commented
4 years ago At this point I think the only robust way to test this would be to try them out. Are there any tools that we can point at an Ace server and see how it manages.
Some of these issues I think would be at a lower level than Ace, but probably not all of them
blatyo
commented
4 years ago I'm not aware of any tools to test these things. Not sure about it being at a lower level either. I assumed since this lib implemented the server side of HTTP2, it'd be the place that fixes it. For, cowboy, these were the changes they made: https://github.com/ninenines/cowboy/commit/ab44985a9eeb1f664f38d6049a2532d83de7fa18
CrowdHailer
commented
4 years ago It probably is the place for most of the fixes that are required. I still think it would be good to verify how each attack affects Ace, where possible
Probably the best thing to do would be to port the tests that were added in that commit you shared. then we would have a framework to check the fixes had worked
A number of CVE's were published yesterday that affect a lot of HTTP2 implementations. I wanted to flag them here in case ace is also vulnerable to any of them.
Relevant vulnerabilities: https://www.kb.cert.org/vuls/id/605641/ Example of some mitigations: https://github.com/kubernetes/ingress-nginx/commit/333d9fd48d69730a03e087fb6e0f0dae5601c04f