=====================================================================

                                   CERT-Renater

                        Note d'Information No. 2024/VULN197
_____________________________________________________________________

DATE                : 15/04/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Traffic Server versions
                                  prior to 8.1.10, 9.2.4.

=====================================================================
https://lists.apache.org/thread/0117x8x3fqvt1wnl4y8js5p27nrgo57o
_____________________________________________________________________

CVE-2024-31309: Apache Traffic Server: HTTP/2 CONTINUATION frames
can be utilized for DoS attack

Severity: moderate

Affected versions:

- Apache Traffic Server 8.0.0 through 8.1.9
- Apache Traffic Server 9.0.0 through 9.2.3

Description:

HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to
consume more resources on the server.  Version from 8.0.0 through
8.1.9, from 9.0.0 through 9.2.3 are affected.

Users can set a new setting
(proxy.config.http2.max_continuation_frames_per_minute) to limit
the number of CONTINUATION frames per minute.  ATS does have a
fixed amount of memory a request can use and ATS adheres to these
limits in previous releases.

Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which
fixes the issue.


Credit:

Bartek Nowotarski (reporter)


References:

https://lists.apache.org/thread/f9qh3g3jvy153wh82pz4onrfj1wh13kc
https://trafficserver.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-31309

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================