HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server.  Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected. Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute.  ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases. Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue.
History

Tue, 12 Nov 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache traffic Server
CPEs cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
Vendors & Products Apache
Apache traffic Server
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2024-04-10T12:07:16.975Z

Updated: 2024-11-12T18:24:22.338Z

Reserved: 2024-03-29T18:52:13.204Z

Link: CVE-2024-31309

cve-icon Vulnrichment

Updated: 2024-08-02T01:52:56.330Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-04-10T12:15:09.257

Modified: 2024-11-21T09:13:14.817

Link: CVE-2024-31309

cve-icon Redhat

Severity : Important

Publid Date: 2024-04-03T00:00:00Z

Links: CVE-2024-31309 - Bugzilla