HTTP2 bug plagues web servers

By

Low-effort denial-of-service.

A common misconfiguration in popular web servers that support HTTP2 exposes them to low-effort denial-of-service attacks, according to security researcher Bartek Nowotarski.

HTTP2 bug plagues web servers

What Nowotarski calls the Continuation Flood attack is a class of vulnerabilities in HTTP2 protocol implementations.

"A single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation," he wrote.

Nowotarski added that attacks “are not visible in HTTP access logs”.

The Continuation frame is used to split header blocks across multiple frames, and the problem arises if an HTTP2 implementation does not limit the number of Continuation frames in a single stream.

“An attacker that can send packets to a target server can send a stream of Continuation frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash," the Carnegie-Mellon CERT offered in this description of the attack.

Nowotarski said the outcome of an attack is implementation-dependent but includes “instant crash after sending a couple of HTTP/2 frames” and CPU exhaustion.

Affected software includes Apache Tomcat (CVE-2023-38709), Golang (CVE-2023-452880), node.js and others.

If fixes are not available, Nowotarski advises system admins to disable HTTP2 support.

HTTP2 is an update to the HTTP protocol and has been in use since 2015.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Macquarie Uni to spend up to $700m on 10-year digital transformation

Macquarie Uni to spend up to $700m on 10-year digital transformation

Nissan A/NZ's outsourced cyber incident call centre breached

Nissan A/NZ's outsourced cyber incident call centre breached

Digital ID bill passes parliament

Digital ID bill passes parliament

Macquarie's banking CISO headed to Endeavour Group

Macquarie's banking CISO headed to Endeavour Group

Log In

  |  Forgot your password?