A new class of vulnerabilities in specific implementations of the HTTP/2 protocol, dubbed "HTTP/2 CONTINUATION Flood," has been discovered, causing concern across the Internet. Various affected products have already been identified and assigned CVEs, with more expected to be disclosed in the future. This vulnerability is potentially even more severe than the previous HTTP/2 Rapid Reset issue.
Key points
Understanding the HTTP/2 CONTINUATION Flood Vulnerability
About HTTP/2
HTTP/2 (RFC9204) is an updated version of the HTTP protocol that allows multiple streams of data to be sent simultaneously over a single TCP connection. The data is binary-encoded into frames, with different frame types designed for specific purposes.
Two crucial frame types are HEADERS and CONTINUATION frames, which are used to send header fields in requests and responses.
The headers are divided and serialized into "header lists" for transmission within HEADERS frames, while CONTINUATION frames are used to continue the sequence of headers in the data stream.
HTTP/2 CONTINUATION Flood
The vulnerability occurs when an attacker crafts a malicious request that never sets the END_HEADERS flag, creating an infinite stream of headers that the HTTP/2 server must parse and store in memory. As the server struggles to process the incoming headers, it becomes unavailable and may eventually crash due to an Out of Memory (OOM) error.
Potential outcomes of this vulnerability include:
Comparison to Rapid Reset and Other CVEs
The impact of the CONTINUATION Flood vulnerability is potentially more severe than the previous Rapid Reset vulnerability for two main reasons.
Known Affected Products and CVEs
Numerous Internet services already implement version 2 of HTTP which could present a risk to the Internet safety, and that’s why disclosures and fixes of the most critical services were coordinated with CERT/CC.
Multiple CVEs have been assigned:
Project | Confirmed | Affected Versions | CVE ID |
amphp/http | 2024-03-11 | >= 2.0.0 && <= 2.1.0, <= 1.7.2 | CVE-2024-2653 |
Apache HTTP Server (httpd) | 2024-02-23 | 2.4.17-2.4.58 | CVE-2024-27316 |
Apache Tomcat | 2024-01-25 | <=11.0.0-M16, <=10.1.18, <=9.0.85, 8.5.0-8.5.98 | CVE-2024-24549 |
Apache Traffic Server | 2024-03-29 | 8.0.0-8.1.9, 9.0.0-9.2.3 | CVE-2024-31309 |
github.com/envoyproxy/envoy (oghttp) | 2024-02-27 | 1.29.0, 1.29.1 | CVE-2024-27919 |
github.com/envoyproxy/envoy (nghttp2) | 2024-02-27 | <=1.29.2 | CVE-2024-30255 |
Golang | 2024-01-10 | <=1.20, <=1.21.8, <=1.22.1 | CVE-2023-45288 |
h2 Rust crate | 2024-03-04 | <=0.4.3, <=v0.3.25 | |
nghttp2 | 2024-03-08 | <=1.60.0 | CVE-2024-28182 |
Node.js | 2024-01-15 | <=18.20.0, <=20.12.0, <=21.7.1 | CVE-2024-27983 |
Tempesta FW | 2024-03-16 | 0.7.0 | CVE-2024-2758 |
█████████ *** | 2024-04-04 | CVE-2024-XXXX | |
█████████ | 2024-04-04 | CVE-2024-XXXX |
Mitigation
In HTTP/1.1, servers are protected from infinite headers by enforcing header size limits and request/headers timeouts that drop the connection.
So, to mitigate the CONTINUATION Flood vulnerability, vendors must limit or sanitize the number of CONTINUATION frames sent within a single stream. Some vendors have already released fixes, while others are working on patches.
CVE-2024-2653
Affects the amphp/http Composer package. Fixed in versions 1.7.3 and 2.1.1 with commit 881cc33d.
More information here.
CVE-2024-27316
Affects Apache HTTP Server (httpd). Fixed in version 2.4.59 with commit b646741f.
More information here.
CVE-2024-24549
Affects Apache Tomcat. Fixed in versions 8.5.99, 9.0.86, 10.1.19 and 11.0.0-M17 with commit 810f49d5.
Note that this CVE is not directly related to the CONTINUATION flaw but was discovered as a consequence of a POC for the vulnerability.
More information here.
CVE-2024-31309
Affects Apache Traffic Server. Fixed in versions 8.1.10-rc0 and 9.2.4-rc0 with commit b8c6a23b.
More information here.
CVE-2024-27919
Affects the Go package github.com/envoyproxy/envoy through the “oghttp” component. Fixed in versions 1.26.8, 1.27.4, 1.28.2 and 1.29.3 with commit d1936d03.
More information here.
CVE-2024-30255
Affects the Go package github.com/envoyproxy/envoy through the “nghttp2” component. Fixed in versions 1.26.8, 1.27.4, 1.28.2 and 1.29.3.
More information here.
CVE-2023-45288
Fixed in the Go packages golang.org/x/net/http2 version 0.23.0 and net/http 1.21.9 and 1.22.2 with commit ba872109.
More information here.
CVE-2024-28182
Affects the Cpp library and Go wrapper nghttp2. Fixed in version 1.61.0 with commit 00201ecd.
More information here.
CVE-2024-27983
Affect Node.js. Fixed in versions 18.20.1, 20.12.1 and 21.7.2.
More information here.
CVE-2024-2758
Affects Tempesta FW. Fixed in version 0.7.1.
Our team is actively tracking these vulnerabilities and ensuring that our SCA solution covers the affected products within its scope.
More information here.
We maintain a comprehensive list of advisories on our DevHub page at https://devhub.checkmarx.com/advisories/. (A resource that provides timely information and insights about various SCA vulnerabilities).
Conclusion
The HTTP/2 CONTINUATION Flood vulnerabilities present a critical issue that can cause significant disruption to web servers.
This class of vulnerabilities is a reminder that while new protocols offer improvements, their implementations must be carefully designed and tested to ensure security.
Checkmarx is actively tracking these vulnerabilities and their impact on the open-source domain.
Our SCA solution covers these vulnerabilities within its scope, helping organizations identify and mitigate potential risks.