Apache HTTP Server Flaw Let Attackers Inject Malicious Headers & HTTP/2 DoS
Apache released updates to address several vulnerabilities impacting the Apache HTTP server that let attackers launch HTTP/2 DoS attacks and insert malicious headers.
Server operations are being adversely affected by these vulnerabilities, which are proving to be a serious danger.
A new class of vulnerabilities in various HTTP/2 protocol implementations is called CONTINUATION Flood. The primary cause of the denial of service is improper handling of HEADERS and several CONTINUATION frames.
In this case, a single TCP connection or a small number of frames can seriously interfere with server operations, resulting in crashes or severe performance declines.
Details Of The Vulnerabilities Addressed
CVE-2024-24795: HTTP Response Splitting In Multiple Modules
This is a low-severity vulnerability that enables an attacker to cause an HTTP desynchronization attack by injecting malicious response headers into backend applications using HTTP Response splitting across different modules in the Apache HTTP Server.
Jianjun Chen and Keran Mu from Tsinghua University and Zhongguancun Laboratory reported this issue.
This issue affects the Apache HTTP Server through 2.4.58.
Fix Released
Users are recommended to upgrade to version 2.4.59, which fixes this issue.
CVE-2024-27316: HTTP/2 DoS By Memory Exhaustion On Endless Continuation Frames
This vulnerability, which has a moderate severity, causes nghttp2 to momentarily buffer incoming HTTP/2 headers that exceed the limit to produce an informative HTTP 413 response.
Memory exhaustion occurs when a client sends headers without stopping.
This issue was reported by the researcher Bartek Nowotarski.
The issue affects the Apache HTTP Server through 2.4.58.
Fix Released
Users are recommended to upgrade to version 2.4.59, which fixes this issue.
CVE-2023-43622: DoS In HTTP/2 With Initial Windows Size 0
A low-severity issue in which an attacker might block Apache HTTP Server’s handling of an HTTP/2 connection with an initial window size of 0 indefinitely.
This might be exploited like the well-known “slow loris” attack pattern that exhausts the server’s worker resources.
Professors Heejo Lee and Choongin Lee (Korea University), and Professors Sven Dietrich and Isa Jafarov (City University of New York).
This issue affects the Apache HTTP Server from 2.4.55 through 2.4.57.
Fix Released
Users are recommended to upgrade to version 2.4.58, which fixes the issue.
Therefore, these vulnerability classes presented a serious risk to internet security! Update the impacted software to the most recent version, which has the vulnerability patched in.
Source: https://bit.ly/3uS5LZ2