HTTP/2 Bomb Vulnerability
Here is what you need to know about LiteSpeed and the HTTP/2 Bomb vulnerability:
- HTTP/2 Bomb is a remote denial-of-service exploit that exists in many servers’ default HTTP/2 configurations.
- LiteSpeed server products (including LiteSpeed Web Server Enterprise, LiteSpeed Web ADC, and OpenLiteSpeed) are effectively not vulnerable to HTTP/2 Bomb attacks
Who is affected by HTTP/2 Bomb?
The HTTP/2 Bomb vulnerability was announced this week on the Calif Substack after having previously been disclosed to nginx and Apache, who then released their own patches. Other servers, not including LiteSpeed, have since been included in the “affected” list.
LiteSpeed Web Server is an Apache drop-in replacement, but LiteSpeed does not share any code with Apache.
LiteSpeed’s from-the-ground-up implementation of Apache-compatible systems means that LiteSpeed is usually not subject to the same vulnerabilities as Apache. That is indeed the case with the HTTP/2 Bomb vulnerability.
How are LiteSpeed Users Protected?
We assessed the vulnerability and concluded that there is only one situation in which LiteSpeed servers may be exploitable by the HTTP/2 Bomb vulnerability:
- If an IP address is added to the Trusted IP list, and is intentionally allowed to abuse the server, the HTTP/2 Bomb may have an effect.
We don’t anticipate that many admins have trusted their attacker’s IPs, but even if they have, the amplification rate is roughly 30x to 40x. This should not be enough to bring down a server.
Just the same, we will add some tightening around this scenario in upcoming server product releases.
If you are using LiteSpeed Web Server Enterprise, LiteSpeed Web ADC, or OpenLiteSpeed, there is nothing you need to do right now. You are already immune to this attack, assuming your Trusted IP list contains only truly trustworthy IPs.
- Learn more about the HTTP/2 Bomb vulnerability on the Calif Substack
- Get LiteSpeed Web Server
Comments