A vulnerability was found in HTTP/2. An attacker can open a HTTP/2 window so the peer can send without constraint. The TCP window remains closed so the peer cannot write the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the server’s queue is setup, the responses can consume excess memory, CPU, or both, potentially leading to a denial of service. The highest threat from this vulnerability is to system availability.
The httpd version shipped with Red Hat Enterprise Linux 8 provides HTTP/2 support through mod_http2 package. While mod_http2 package is not updated, users can disable HTTP/2 support as mitigation action by executing the following steps:
1. Stop httpd service:
$ systemctl stop httpd
2. Remove http/2 protocol support from configuration files:
$ sed -i 's/\(h2\)|\(h2c\)//g' <httpd_config_file>
3. Validate configuration files to make sure all syntax is valid:
$ apachectl configtest
4. Restart httpd service:
$ systemctl start httpd