HTTP/2 Bomb: OpenAI's Codex uncovers critical DoS risk for streaming infrastructure
OpenAI's Codex AI assisted in discovering CVE-2023-44487, an HTTP/2 denial-of-service vulnerability dubbed an "HTTP/2 Bomb," which can crash web servers by consuming over 30GB of RAM within seconds. Major providers including Amazon, Cloudflare, Google, and Microsoft have released patches, necessitating immediate updates for streaming service infrastructure. This poses a critical security risk for streaming providers relying on HTTP/2 for content delivery.
Key Takeaways
- The 'HTTP/2 Bomb' (CVE-2023-44487) exploits HTTP/2 frame streams, forcing servers to consume over 30GB of RAM rapidly.
- OpenAI's Codex AI, which powers GitHub Copilot, was used to generate exploit scripts to confirm the vulnerability.
- Amazon, Cloudflare, Google, and Microsoft have issued patches or mitigations to address the flaw.
- The attack abuses the protocol's ability to cancel requests, creating a resource-intensive loop.
- Streaming providers using HTTP/2 are advised to update infrastructure immediately to prevent exploitation.
Why It Matters
This HTTP/2 vulnerability presents an immediate operational risk for streaming services, as unpatched servers are susceptible to rapid shutdown. Given the widespread use of HTTP/2 for content delivery, the incident underscores the need for continuous vigilance in protocol-level security and prompt patching cycles across the media supply chain. Monitoring the speed and completeness of patch deployments across the vendor ecosystem will indicate overall industry resilience.
Read full article at techradar.com