### Vulnerability Details HTTP/2 is a secure and efficient next-generation HTTP transport protocol designed to improve web performance by introducing binary framing for efficient data transfer, multiplexing to allow multiple requests and responses over a single connection, and header compression to reduce overhead. HTTP/2 CONTINUATION frames are used for sequences of continuous field block fragments. A denial-of-service vulnerability has recently been identified in the HTTP/2 protocol, dubbed "HTTP/2 CONTINUATION Flood." This vulnerability can lead to denial-of-service (DoS) attacks and, in certain implementations, can crash a web server using a single TCP connection. Technical details of this vulnerability have been publicly disclosed. Because some HTTP/2 protocol implementations do not properly restrict or sanitize the number of CONTINUATION frames sent within a single data stream, an attacker can send a flood of CONTINUATION frames to a target server without setting the END_HEADERS flag, potentially causing an out-of-memory crash or CPU resource exhaustion that results in a service outage. ### Affected Scope and Remediation HTTP/2 CONTINUATION Flood affects multiple projects. Different HTTP/2 implementations may have unique vulnerabilities and impacts specific to their implementation. The corresponding CVE IDs, affected scope, and remediation for various HTTP/2 implementations are listed below: | Affected Project | CVE | Affected Scope | Fixed Version | |---|---|---|---| | Envoy | CVE-2024-27919 | Envoy 1.29.0 – Envoy 1.29.1 | Upgrade to version 1.29.2 or later; or downgrade to 1.28.1 or earlier | | Envoy | CVE-2024-30255 | Envoy < 1.29.3, Envoy < 1.28.2, Envoy < 1.27.4, Envoy < 1.26.8 | Upgrade to 1.29.3, 1.28.2, 1.27.4, 1.26.8, or later | | Tempesta FW | CVE-2024-2758 | Tempesta FW < 0.7.1 | Upgrade to 0.7.1 or later | | amphp/http | CVE-2024-2653 | amphp/http < 1.7.3, amphp/http 2.0.0 – 2.1.0, amphp/http-client 4.0.0-rc10 – 4.0.0 | Upgrade to amphp/http 1.7.3, amphp/http 2.1.1, amphp/http-client 4.1.0-rc1 or later | | Golang | CVE-2023-45288 | Go < 1.22.2, Go < 1.21.9 | Upgrade to Go 1.22.2, Go 1.21.9 or later | | nghttp2 | CVE-2024-28182 | nghttp2 < 1.61.0 | Upgrade to nghttp2 1.61.0 or later | | Apache HTTP Server | CVE-2024-27316 | Apache HTTP Server < 2.4.59 | Upgrade to Apache HTTP Server 2.4.59 or later | | Apache Traffic Server | CVE-2024-31309 | Apache Traffic Server [8.0.0, 8.1.9), Apache Traffic Server [9.0.0, 9.2.3) | Upgrade to 8.1.9, 9.2.3 or later | | Node.js | CVE-2024-27983 | Node.js < 18.20.1, Node.js < 20.12.1, Node.js < 21.7.2 | Upgrade to Node.js 18.20.1, 20.12.1, 21.7.2 or later | **Note:** Before installing or upgrading, please perform data backups, snapshots, and testing to prevent unexpected issues. ### Reference Links [https://www.openwall.com/lists/oss-security/2024/04/04/4](https://www.openwall.com/lists/oss-security/2024/04/04/4) [https://www.openwall.com/lists/oss-security/2024/04/05/3](https://www.openwall.com/lists/oss-security/2024/04/05/3) [https://www.openwall.com/lists/oss-security/2024/04/05/4](https://www.openwall.com/lists/oss-security/2024/04/05/4) [https://www.openwall.com/lists/oss-security/2024/04/04/8](https://www.openwall.com/lists/oss-security/2024/04/04/8)

UCloud-202404-001:HTTP/2 CONTINUATION Flood Denial of Service Vulnerability Security Advisory