
A recently discovered vulnerability in the HTTP/2 protocol, named “CONTINUATION Flood,” poses a significant threat to web servers, potentially leading to denial of service (DoS) attacks. This vulnerability allows malicious actors to crash web servers with a single TCP connection in certain implementations of the protocol.
HTTP/2, introduced in 2015, aimed to enhance web performance by introducing features such as binary framing for efficient data transmission, multiplexing for handling multiple requests and responses over a single connection, and header compression to reduce overhead.
The “CONTINUATION Flood” vulnerability was unearthed by researcher Barket Nowotarski, who identified flaws in the handling of HTTP/2 CONTINUATION frames in various protocol implementations. These frames are responsible for stitching together header and trailer sections of HTTP/2 messages.
In affected implementations, the lack of proper checks on CONTINUATION frames allows threat actors to send an excessively long stream of frames without setting the ‘END_HEADERS’ flag. This oversight can lead to server outages due to crashes caused by out-of-memory conditions or CPU resource exhaustion during frame processing.
Nowotarski highlighted the severity of the issue, particularly regarding out-of-memory crashes, stating that affected implementations may crash servers using just a single HTTP/2 TCP connection.
Several CVE IDs have been assigned to vulnerable HTTP/2 implementations, each representing different levels of susceptibility to denial of service attacks. These vulnerabilities range from memory leaks and excessive memory consumption to CPU exhaustion:
- CVE-2024-27983: Node.js HTTP/2 server
- CVE-2024-27919: Envoy’s oghttp codec
- CVE-2024-2758: Tempesta FW
- CVE-2024-2653: amphp/http
- CVE-2023-45288: Go’s net/http and net/http2 packages
- CVE-2024-28182: Implementations using the nghttp2 library
- CVE-2024-27316: Apache Httpd
- CVE-2024-31309: Apache Traffic Server
- CVE-2024-30255: Envoy versions 1.29.2 or earlier
According to CERT Coordination Center (CERT-CC), vendors and HTTP/2 libraries such as Red Hat, SUSE Linux, Arista Networks, Apache HTTP Server Project, nghttp2, Node.js, AMPHP, and Go Programming Language have confirmed the impact of these vulnerabilities.
The widespread adoption of HTTP/2 and the potential severity of the vulnerability underscore the urgent need for affected servers and libraries to be updated promptly. Failure to do so may expose servers to exploitation by threat actors seeking to leverage these vulnerabilities for malicious purposes.
In conclusion, the “CONTINUATION Flood” vulnerability poses a severe threat to web server infrastructure and underscores the importance of proactive security measures and timely updates to mitigate the risk of exploitation.
Leave a Reply