What you should know: HTTP/2 CONTINUATION Flood Vulnerability 

A new class of vulnerabilities in specific implementations of the HTTP/2 protocol, dubbed "HTTP/2 CONTINUATION Flood," has been discovered, causing concern across the Internet. Various affected products have already been identified and assigned CVEs, with more expected to be disclosed in the future. This vulnerability is potentially even more severe than the previous HTTP/2 Rapid Reset issue. 

Key points 

• A new class of vulnerabilities: "HTTP/2 CONTINUATION Flood" has been discovered in various implementations of the HTTP/2 protocol. 
• The vulnerability can lead to Denial of Service (DoS) attacks and is considered more severe than the previous HTTP/2 Rapid Reset vulnerability. 
• Several affected products have been identified and assigned CVEs, with more expected to be disclosed in the future. 
• The vulnerability arises when a single large HEADER frame is insufficient to store all the headers, and the data stream continues with CONTINUATION frames without the END_HEADERS flag set. 
• Disclosures and fixes were coordinated together with CERT/CC 

Understanding the HTTP/2 CONTINUATION Flood Vulnerability 

About HTTP/2 

HTTP/2 (RFC9204) is an updated version of the HTTP protocol that allows multiple streams of data to be sent simultaneously over a single TCP connection. The data is binary-encoded into frames, with different frame types designed for specific purposes. 

Two crucial frame types are HEADERS and CONTINUATION frames, which are used to send header fields in requests and responses. 

The headers are divided and serialized into "header lists" for transmission within HEADERS frames, while CONTINUATION frames are used to continue the sequence of headers in the data stream. 

HTTP/2 CONTINUATION Flood 

The vulnerability occurs when an attacker crafts a malicious request that never sets the END_HEADERS flag, creating an infinite stream of headers that the HTTP/2 server must parse and store in memory. As the server struggles to process the incoming headers, it becomes unavailable and may eventually crash due to an Out of Memory (OOM) error. 

Potential outcomes of this vulnerability include: 

• CPU exhaustion, causing slowness in responding to other requests. 
• Out of Memory crashes.  
• Server crashes.  

Comparison to Rapid Reset and Other CVEs 

The impact of the CONTINUATION Flood vulnerability is potentially more severe than the previous Rapid Reset vulnerability for two main reasons. 

1. Exploitation often requires only a single TCP connection and minimal data, making it easier to execute than Rapid Reset, which often requires a DDoS approach. 

2. The attack is harder to detect and protect against using standard mitigations, as not even a single request is made due to the absence of the END_HEADERS flag. 

Known Affected Products and CVEs 

Numerous Internet services already implement version 2 of HTTP which could present a risk to the Internet safety, and that’s why disclosures and fixes of the most critical services were coordinated with CERT/CC. 

Multiple CVEs have been assigned: 

Mitigation

In HTTP/1.1, servers are protected from infinite headers by enforcing header size limits and request/headers timeouts that drop the connection.

So, to mitigate the CONTINUATION Flood vulnerability, vendors must limit or sanitize the number of CONTINUATION frames sent within a single stream. Some vendors have already released fixes, while others are working on patches. 

CVE-2024-2653

Affects the amphp/http Composer package. Fixed in versions 1.7.3 and 2.1.1 with commit 881cc33d.

More information here. 

CVE-2024-27316

Affects Apache HTTP Server (httpd). Fixed in version 2.4.59 with commit b646741f.

More information here. 

CVE-2024-24549

Affects Apache Tomcat. Fixed in versions 8.5.99, 9.0.86, 10.1.19 and 11.0.0-M17 with commit 810f49d5.

Note that this CVE is not directly related to the CONTINUATION flaw but was discovered as a consequence of a POC for the vulnerability.

More information here. 

CVE-2024-31309

Affects Apache Traffic Server. Fixed in versions  8.1.10-rc0 and 9.2.4-rc0 with commit b8c6a23b.

More information here. 

CVE-2024-27919

Affects the Go package github.com/envoyproxy/envoy through the “oghttp” component. Fixed in versions 1.26.8, 1.27.4, 1.28.2 and 1.29.3 with commit d1936d03.

More information here. 

CVE-2024-30255

Affects the Go package github.com/envoyproxy/envoy through the “nghttp2” component. Fixed in versions 1.26.8, 1.27.4, 1.28.2 and 1.29.3.

More information here. 

CVE-2023-45288

Fixed in the Go packages golang.org/x/net/http2 version 0.23.0 and net/http 1.21.9 and 1.22.2 with commit ba872109.

More information here. 

CVE-2024-28182

Affects the Cpp library and Go wrapper nghttp2. Fixed in version 1.61.0 with commit 00201ecd.

More information here. 

CVE-2024-27983

Affect Node.js. Fixed in versions 18.20.1, 20.12.1 and 21.7.2.

More information here. 

CVE-2024-2758

Affects Tempesta FW. Fixed in version 0.7.1.

Our team is actively tracking these vulnerabilities and ensuring that our SCA solution covers the affected products within its scope.

More information here. 

We maintain a comprehensive list of advisories on our DevHub page at https://devhub.checkmarx.com/advisories/. (A resource that provides timely information and insights about various SCA vulnerabilities).

Conclusion

The HTTP/2 CONTINUATION Flood vulnerabilities present a critical issue that can cause significant disruption to web servers.

This class of vulnerabilities is a reminder that while new protocols offer improvements, their implementations must be carefully designed and tested to ensure security.

Checkmarx is actively tracking these vulnerabilities and their impact on the open-source domain. 

Our SCA solution covers these vulnerabilities within its scope, helping organizations identify and mitigate potential risks.