CVE-2024-31309

HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected. Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute. ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases. Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue.

CVSS

No CVSS.

References

Link	Resource
http://www.openwall.com/lists/oss-security/2024/04/03/16
http://www.openwall.com/lists/oss-security/2024/04/10/7
https://lists.apache.org/thread/f9qh3g3jvy153wh82pz4onrfj1wh13kc
https://lists.debian.org/debian-lts-announce/2024/04/msg00021.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBKLPQ6ECG4PGEPRCYI3Y3OITNDEFCCV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV77HYM7ARSTL3B6U3IFG7PHDU65WL4I/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3XON6RM5ZKCZ6K6NB7BOTAWMJQKXJDO/

Configurations

No configuration.

History

No history.

Information

Published : 2024-04-10 12:15

Updated : 2024-05-01 18:15

NVD link : CVE-2024-31309

Mitre link : CVE-2024-31309

CVE.ORG link : CVE-2024-31309

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2024-31309", "cveTags": [], "metrics": {}, "published": "2024-04-10T12:15:09.257", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/04/03/16", "source": "security@apache.org"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/10/7", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread/f9qh3g3jvy153wh82pz4onrfj1wh13kc", "source": "security@apache.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00021.html", "source": "security@apache.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PBKLPQ6ECG4PGEPRCYI3Y3OITNDEFCCV/", "source": "security@apache.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV77HYM7ARSTL3B6U3IFG7PHDU65WL4I/", "source": "security@apache.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3XON6RM5ZKCZ6K6NB7BOTAWMJQKXJDO/", "source": "security@apache.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security@apache.org", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "HTTP/2 CONTINUATION\u00a0DoS attack can cause Apache Traffic Server to consume more resources on the server.\u00a0 Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are\u00a0affected.\n\nUsers can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute. \u00a0ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases.\nUsers are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue.\n\n"}, {"lang": "es", "value": "Un ataque de HTTP/2 CONTINUATION DoS puede hacer que Apache Traffic Server consuma m\u00e1s recursos en el servidor. Las versiones de 8.0.0 a 8.1.9 y de 9.0.0 a 9.2.3 se ven afectadas. Los usuarios pueden establecer una nueva configuraci\u00f3n (proxy.config.http2.max_continuation_frames_per_minuto) para limitar el n\u00famero de fotogramas de CONTINUACI\u00d3N por minuto. ATS tiene una cantidad fija de memoria que una solicitud puede usar y ATS cumple con estos l\u00edmites en versiones anteriores. Se recomienda a los usuarios actualizar a las versiones 8.1.10 o 9.2.4, que solucionan el problema."}], "lastModified": "2024-05-01T18:15:23.233", "sourceIdentifier": "security@apache.org"}