Preface: Slow HTTP attacks are denial-of-service (DoS) attacks. It was happened near decade ago. Such vulnerability let the people aware application security.
Background: Why do we need HTTP/2?
HTTP/2 allows the client to synchronously send multiple requests to the server through the same TCP connection, and the server can also use the same TCP connection to send back synchronously, thereby reducing additional RTT (round trip time). More……
Vulnerability details: On Jun 26 2020, vulnerability found on Apache Tomcat – limitation of system resources handling when Apache Tomcat upgrade to HTTP/2.
Above matter cause by the multi protocol function. Such design limitation cause Apache TomCat did not release the HTTP/1.1 resources. Whereby, it let the Apache Tomcat consumed all the memory thus trigger a denial of service.
Remedy (official announcement): Refer to link – http://mail-archives.us.apache.org/mod_mbox/www-announce/202010.mbox/%3C2b767c6e-dcb9-5816-bd69-a3bc0771fef3%40apache.org%3E