We have received an urgent zero day vulnerability related to HTTP/2 attack. As SSO is internet facing, we would like to check if Broadcom released any guidelines for SSO to mitigate such? Referring to Microsoft provide suggestion in 2nd URL, would it have any impact on our service?
Below are few URL for your reference:
Release : 12.8.06
HTTP2 support is dependant on the web server.
For Symantec Access Gateway, the httpd is not configured to support http2 by default. So, the CVE for HTTP2 is not a concern.
For other web servers (Apache, IIS, etc.), please check with the vendor, and follow their instructions to mitigate the problem.
For Apache web server, it needs to be configured to support HTTP2, please refer to Apache document,
For IIS 10.0 or above, it supports http2 by default,