#VU88113 Resource exhaustion in Apache Traffic Server - CVE-2024-31309


| Updated: 2024-04-18

Vulnerability identifier: #VU88113

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-31309

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Traffic Server
Server applications / Web servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single HTTP/2 stream. A remote attacker can send specially crafted HTTP/2 requests to the server and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Traffic Server: 8.0.0 - 8.0.8, 8.1.0 - 8.1.9, 9.0.0 - 9.0.2, 9.1.0 - 9.1.4, 9.2.0 - 9.2.3

External links
https://bugzilla.redhat.com/show_bug.cgi?id=2269627
https://lists.apache.org/thread/0117x8x3fqvt1wnl4y8js5p27nrgo57o

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Debian update for trafficserver
Fedora 39 update for trafficserver
Fedora 38 update for trafficserver
Fedora 40 update for trafficserver
Fedora EPEL 8 update for trafficserver
Fedora EPEL 9 update for trafficserver
Fedora EPEL 7 update for trafficserver
Resource exhaustion in Apache Traffic Server