Client connects to Cloudfront via HTTP2, then connects to an Apache Server via HTTP1, can HTTP2 vulnerabilities be exploited in the HTTP1 connection?

Question

We have an environment where customers connect to a Cloudfront distribution via HTTP2 and then from the Cloudfront distribution to an Apache web server via a HTTP1 connection.

[ client ] ---(https, http/2)--> [ cloudfront ] ---(http, http/1--> [ web server ]

Apache released a an update (2.4.41) to fix vulnerabilities regarding http2 connections on August 20th. https://httpd.apache.org/security/vulnerabilities_24.html

I was wondering if it would be necessary to consider updating our web servers if these vulnerabilities can be exploited by using the HTTP/2 connection to Cloudfront that becomes HTTP/1 when hitting the web server.

If I am completely misunderstanding the nature of HTTP/2 and HTTP/1 and how they interact with Cloudfront, please let me know and where I could go read to learn more about it.

Users connect to CloudFront. Cloudfront connects to Apache, not the users. Have you used security groups or other firewalls to prevent anyone other than CloudFront connecting to your apache server? If so then you can probably get away without patching it, however patching is best practice and you should probably patch regardless. — Tim, Aug 23 '19 at 02:00
[Users connect to CloudFront. Cloudfront connects to Apache.] Should have thought about it this way. Thanks a lot. — nicepalpal, Aug 26 '19 at 04:21

Client connects to Cloudfront via HTTP2, then connects to an Apache Server via HTTP1, can HTTP2 vulnerabilities be exploited in the HTTP1 connection?

0 Answers0