HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume
more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0
through 9.2.3 are affected. Users can set a new setting
(proxy.config.http2.max_continuation_frames_per_minute) to limit the number
of CONTINUATION frames per minute. ATS does have a fixed amount of memory a
request can use and ATS adheres to these limits in previous releases. Users
are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the
issue.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | trafficserver | < any | UNKNOWN |
ubuntu | 20.04 | noarch | trafficserver | < any | UNKNOWN |
ubuntu | 22.04 | noarch | trafficserver | < any | UNKNOWN |
ubuntu | 24.04 | noarch | trafficserver | < any | UNKNOWN |
ubuntu | 16.04 | noarch | trafficserver | < any | UNKNOWN |
bugzilla.redhat.com/show_bug.cgi?id=2269627
github.com/apache/trafficserver/commit/d8cb125e55ad7f9cc043e655f7ef25acbbbe0a2c
github.com/apache/trafficserver/pull/11207
launchpad.net/bugs/cve/CVE-2024-31309
nvd.nist.gov/vuln/detail/CVE-2024-31309
security-tracker.debian.org/tracker/CVE-2024-31309
www.cve.org/CVERecord?id=CVE-2024-31309
www.kb.cert.org/vuls/id/421644