logologo

Easy Branches allows you to share your guest post within our network in any countries of the world to reach Global customers start sharing your stories today!

Easy Branches

34/17 Moo 3 Chao fah west Road, Phuket, Thailand, Phuket

Call: 076 367 766

info@easybranches.com
Technology Cyber Security

HTTP2 bug plagues web servers

Low-effort denial-of-service.


  • Apr 08 2024
  • 92
  • 14150 Views
HTTP2 bug plagues web servers
HTTP2 bug plagues web servers

A common misconfiguration in popular web servers that support HTTP2 exposes them to low-effort denial-of-service attacks, according to security researcher Bartek Nowotarski.

HTTP2 bug plagues web servers

What Nowotarski calls the Continuation Flood attack is a class of vulnerabilities in HTTP2 protocol implementations.

"A single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation," he wrote.

Nowotarski added that attacks “are not visible in HTTP access logs”.

The Continuation frame is used to split header blocks across multiple frames, and the problem arises if an HTTP2 implementation does not limit the number of Continuation frames in a single stream.

“An attacker that can send packets to a target server can send a stream of Continuation frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash," the Carnegie-Mellon CERT offered in this description of the attack.

Nowotarski said the outcome of an attack is implementation-dependent but includes “instant crash after sending a couple of HTTP/2 frames” and CPU exhaustion.

Affected software includes Apache Tomcat (CVE-2023-38709), Golang (CVE-2023-452880), node.js and others.

If fixes are not available, Nowotarski advises system admins to disable HTTP2 support.

HTTP2 is an update to the HTTP protocol and has been in use since 2015.

Related


Share this page
Guest Posts by Easy Branches