Security Bulletin: IBM HTTP Server (powered by Apache) for IBM i is vulnerable to a denial of service attack using HTTP/2 protocol. [CVE-2024-27316]

Summary

IBM HTTP Server (powered by Apache) used by IBM i is vulnerable to a denial of service attack due to no limit of continuation fames in HTTP/2 protocol as described in the vulnerability details section. This bulletin identifies the steps to take to address the vulnerability as described in the remediation/fixes section.

Vulnerability Details

CVEID:CVE-2024-27316
**DESCRIPTION:**Apache HTTP Server is vulnerable to a denial of service, caused by the failure to check or limit the use of HTTP/2 CONTINUATION frames that can be sent within a single stream. By sending a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, a remote attacker could exploit this vulnerability to cause an out of memory (OOM) crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286950 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

The issue can be addressed by applying a PTF to IBM i. IBM i releases 7.5, 7.4, and 7.3 will be fixed.

The IBM i PTF number for 5770-DG1 contains the fix to resolve the vulnerability.

IBM i Release| 5770-DG1
PTF Number| PTF Download Link
—|—|—
7.5| SJ01169| <https://www.ibm.com/mysupport/s/fix-information?legacy=SJ01169&gt;
7.4| SJ01168| <https://www.ibm.com/mysupport/s/fix-information?legacy=SJ01168&gt;
7.3| SJ01156| <https://www.ibm.com/mysupport/s/fix-information?legacy=SJ01156&gt;

https://www.ibm.com/support/fixcentral

_Important note: _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None.