A new class of vulnerabilities in specific implementations of the HTTP/2 protocol, dubbed “HTTP/2 CONTINUATION Flood,” has been discovered, causing concern across the Internet. Various affected products have already been identified and assigned CVEs, with more expected to be disclosed in the future. This vulnerability is potentially even more severe than the previous HTTP/2 Rapid Reset issue.
Key points
- A new class of vulnerabilities: “HTTP/2 CONTINUATION Flood” has been discovered in various implementations of the HTTP/2 protocol.
- The vulnerability can lead to Denial of Service (DoS) attacks and is considered more severe than the previous HTTP/2 Rapid Reset vulnerability.
- Several affected products have been identified and assigned CVEs, with more expected to be disclosed in the future.
- The vulnerability arises when a single large HEADER frame is insufficient to store all the headers, and the data stream continues with CONTINUATION frames without the END_HEADERS flag set.
- Disclosures and fixes were coordinated together with CERT/CC
Understanding the HTTP/2 CONTINUATION Flood Vulnerability
About HTTP/2
HTTP/2 (RFC9204) is an updated version of the HTTP protocol that allows multiple streams of data to be sent simultaneously over a single TCP connection. The data is binary-encoded into frames, with different frame types designed for specific purposes.
Two crucial frame types are HEADERS and CONTINUATION frames, which are used to send header fields in requests and responses.
The headers are divided and serialized into “header lists” for transmission within HEADERS frames, while CONTINUATION frames are used to continue the sequence of headers in the data stream.
HTTP/2 CONTINUATION Flood
The vulnerability occurs when an attacker crafts a malicious request that never sets the END_HEADERS flag, creating an infinite stream of headers that the HTTP/2 server must parse and store in memory. As the server struggles to process the incoming headers, it becomes unavailable and may eventually crash due to an Out of Memory (OOM) error.
Potential outcomes of this vulnerability include:
- CPU exhaustion, causing slowness in responding to other requests.
- Out of Memory crashes.
- Server crashes.
Comparison to Rapid Reset and Other CVEs
The impact of the CONTINUATION Flood vulnerability is potentially more severe than the previous Rapid Reset vulnerability for two main reasons.
- Exploitation often requires only a single TCP connection and minimal data, making it easier to execute than Rapid Reset, which often requires a DDoS approach.
- The attack is harder to detect and protect against using standard mitigations, as not even a single request is made due to the absence of the END_HEADERS flag.
Known Affected Products and CVEs
Numerous Internet services already implement version 2 of HTTP which could present a risk to the Internet safety, and that’s why disclosures and fixes of the most critical services were coordinated with CERT/CC.
Multiple CVEs have been assigned:
| Project | Confirmed | Affected Versions | CVE ID |
| amphp/http | 2024-03-11 | >= 2.0.0 && <= 2.1.0, <= 1.7.2 | CVE-2024-2653 |
| Apache HTTP Server (httpd) | 2024-02-23 | 2.4.17-2.4.58 | CVE-2024-27316 |
| Apache Tomcat | 2024-01-25 | <=11.0.0-M16, <=10.1.18, <=9.0.85, 8.5.0-8.5.98 | CVE-2024-24549 |
| Apache Traffic Server | 2024-03-29 | 8.0.0-8.1.9, 9.0.0-9.2.3 | CVE-2024-31309 |
| github.com/envoyproxy/envoy (oghttp) | 2024-02-27 | 1.29.0, 1.29.1 | CVE-2024-27919 |
| github.com/envoyproxy/envoy (nghttp2) | 2024-02-27 | <=1.29.2 | CVE-2024-30255 |
| Golang | 2024-01-10 | <=1.20, <=1.21.8, <=1.22.1 | CVE-2023-45288 |
| h2 Rust crate | 2024-03-04 | <=0.4.3, <=v0.3.25 | |
| nghttp2 | 2024-03-08 | <=1.60.0 | CVE-2024-28182 |
| Node.js | 2024-01-15 | <=18.20.0, <=20.12.0, <=21.7.1 | CVE-2024-27983 |
| Tempesta FW | 2024-03-16 | 0.7.0 | CVE-2024-2758 |
| █████████ *** | 2024-04-04 | CVE-2024-XXXX | |
| █████████ | 2024-04-04 | CVE-2024-XXXX |
Mitigation
In HTTP/1.1, servers are protected from infinite headers by enforcing header size limits and request/headers timeouts that drop the connection.
So, to mitigate the CONTINUATION Flood vulnerability, vendors must limit or sanitize the number of CONTINUATION frames sent within a single stream. Some vendors have already released fixes, while others are working on patches.
CVE-2024-2653
Affects the amphp/http Composer package. Fixed in versions 1.7.3 and 2.1.1 with commit 881cc33d.
More information here.
CVE-2024-27316
Affects Apache HTTP Server (httpd). Fixed in version 2.4.59 with commit b646741f.
More information here.
The post What you should know: HTTP/2 CONTINUATION Flood Vulnerability appeared first on Checkmarx.com.
Article Link: HTTP/2 CONTINUATION Flood Vulnerability