httpd: CONTINUATION frames DoS

A vulnerability was found in how Apache httpd implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers,...

httpd:2.4/mod_http2 security update

httpd modhttp2 1.15.7-8.5 - Resolves: RHEL-29816 - httpd:2.4/modhttp2: httpd: CONTINUATION frames DoS CVE-2024-27316 modmd...

Important: httpd:2.4/mod_http2 security update

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. Security Fixes: httpd: modhttp2: CONTINUATION frames DoS CVE-2024-27316 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related...

CVE-2024-31309

HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected. Users can set a new setting proxy.config.http2.maxcontinuationframesperminute to limit the number of CONTINUATION frames...

UBUNTU-CVE-2024-31309

HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected. Users can set a new setting proxy.config.http2.maxcontinuationframesperminute to limit the number of CONTINUATION frames...

K000139229: Tempesta vulnerability CVE-2024-2758

Security Advisory Description Tempesta FW rate limits are not enabled by default. They are either set too large to capture empty CONTINUATION frames attacks or too small to handle normal HTTP requests appropriately. CVE-2024-2758 Impact There is no impact; F5 products are not affected by this...

UBUNTU-CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

Impact of HTTP/2 CONTINUATION frames being utilized for DoS attacks on Cloud Software Group Products

Cloud Software Group is aware of the reports describing HTTP/2 CONTINUATION frames being utilized for DoS attacks. HTTP/2 CONTINUATION frames can be utilized for DoS attacks HTTP/2 CONTINUATION Flood Cloud Software Group continues to investigate any potential impact on Cloud Software Group-manage...

SUSE SLES12 Security Update : go1.21 (SUSE-SU-2024:1161-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:1161-1 advisory. - An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames...

SUSE-SU-2024:1167-1 Security update for nghttp2

This update for nghttp2 fixes the following issues: - CVE-2024-28182: Fixed denial of service via http/2 continuation frames bsc1221399...

SUSE-SU-2024:1161-1 Security update for go1.21

This update for go1.21 fixes the following issues: - CVE-2023-45288: Fixed denial of service via HTTP/2 continuation frames bsc1221400 Other changes: - go minor release upgrade to 1.21.9 bsc1212475...

SUSE-SU-2024:1160-1 Security update for go1.22

This update for go1.22 fixes the following issues: - CVE-2023-45288: Fixed denial of service via HTTP/2 continuation frames bsc1221400 Other changes: - go minor release upgrade to 1.22.2 bsc1218424...

Denial Of Service (DoS)

Envoy is vulnerable to Denial of Service DoS. The vulnerability is due to allowing an unlimited number of CONTINUATION frames to be sent by the peer, even after exceeding Envoy's header map limits. Attackers can exploit this by sending a sequence of CONTINUATION frames without the ENDHEADERS bit...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.22 (SUSE-SU-2024:1121-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:1121-1 advisory. - An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessi...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : go1.21 (SUSE-SU-2024:1122-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:1122-1 advisory. - An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessi...

The vulnerability of the amphp/http library and the amphp/http-client HTTP client allows a attacker to induce a service failure.

The vulnerability of the amphp/http library and the amphp/http-client HTTP client in terms of implementing the HTTP/2 protocol is related to uncontrolled memory allocation due to improper restrictions on the size of field blocks during the processing of CONTINUATION frames. Exploiting this...

The vulnerability of the net/http and net/http2 libraries in the Go programming language is related to an uncontrolled resource consumption, allowing attackers to cause service failures.

The vulnerability of the net/http and net/http2 libraries in the Go programming language related to the implementation of the HTTP/2 protocol is related to an uncontrolled resource consumption due to incorrect determination of the end of headers during the processing of CONTINUATION frames...

The vulnerability of Tempesta web applications’ firewalls, related to unlimited resource distribution, allows attackers to cause service interruptions.

The vulnerability of Tempesta web applications’ firewalls, particularly in terms of implementing HTTP/2 protocols, is related to an uncontrolled resource consumption due to incorrect determination of the end of headers during the processing of CONTINUATION frames. Exploiting this vulnerability...

The vulnerability of the Apache Traffic Server web server, related to uncontrolled resource consumption, allows attackers to cause service interruptions.

The vulnerability of the Apache Traffic Server web server in terms of the implementation of the HTTP/2 protocol is related to an uncontrolled resource consumption due to incorrect determination of the end of headers during the processing of CONTINUATION frames. Exploiting this vulnerability can...

The vulnerability of the `node::http2::Http2Session::~Http2Session()` function in HTTP/2 server software for Node.js allows attackers to cause service failures.

The vulnerability of the node::http2::Http2Session::Http2Session function in HTTP/2 server-side software for Node.js is related to an uncontrolled resource consumption due to incorrect handling of header termination when processing CONTINUATION frames. Exploiting this vulnerability can allow a...