|
Message-ID: <b3c6a514-fe9d-f6ee-90a4-2d92ccc04a8a@apache.org> Date: Wed, 10 Apr 2024 15:16:21 +0000 From: Bryan Call <bcall@...che.org> To: oss-security@...ts.openwall.com Subject: CVE-2024-31309: Apache Traffic Server: HTTP/2 CONTINUATION frames can be utilized for DoS attack Severity: moderate Affected versions: - Apache Traffic Server 8.0.0 through 8.1.9 - Apache Traffic Server 9.0.0 through 9.2.3 Description: HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected. Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute. ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases. Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue. Credit: Bartek Nowotarski (reporter) References: https://lists.apache.org/thread/f9qh3g3jvy153wh82pz4onrfj1wh13kc https://trafficserver.apache.org/ https://www.cve.org/CVERecord?id=CVE-2024-31309
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.