oss-security - CVE-2024-31309: Apache Traffic Server: HTTP/2 CONTINUATION frames can be utilized for DoS attack

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [day] [month] [year] [list]

Date: Wed, 10 Apr 2024 15:16:21 +0000
From: Bryan Call <bcall@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-31309: Apache Traffic Server: HTTP/2 CONTINUATION frames
 can be utilized for DoS attack 

Severity: moderate

Affected versions:

- Apache Traffic Server 8.0.0 through 8.1.9
- Apache Traffic Server 9.0.0 through 9.2.3

Description:

HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server.  Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected.

Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute.  ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases.
Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue.

Credit:

Bartek Nowotarski (reporter)

References:

https://lists.apache.org/thread/f9qh3g3jvy153wh82pz4onrfj1wh13kc
https://trafficserver.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-31309

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.