CVE-2024-31309

Name of the Vulnerable Software and Affected Versions Apache Traffic Server versions 8.0.0 through 8.1.9 Apache Traffic Server versions 9.0.0 through 9.2.3

Description The HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. This issue is related to the incorrect determination of the end of a header when processing CONTINUATION frames, which can lead to an uncontrolled consumption of resources. A remote attacker can exploit this issue by sending multiple HTTP packets, potentially causing a denial of service.

Recommendations For versions 8.0.0 through 8.1.9, upgrade to version 8.1.10. For versions 9.0.0 through 9.2.3, upgrade to version 9.2.4. As a temporary workaround, consider setting a new setting proxy.config.http2.max continuation frames per minute to limit the number of CONTINUATION frames per minute.