HTTP/2 CONTINUATION Flood
CONTINUATION Flood is a class of vulnerabilities within numerous HTTP/2 protocol implementations. In many cases, it poses a more severe threat compared to the Rapid Reset: a single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation. Remarkably, requests that constitute an attack are not visible in HTTP access logs.
What is the CONTINUATION Flood?
It is a new class of vulnerabilities in multiple implementations of HTTP/2 protocol. The root cause is an incorrect handling of HEADERS and multiple CONTINUATION frames which ultimately leads to Denial of Service.
The outcome depends on the implementation but ranges from an instant crash after sending a couple of HTTP/2 frames, Out Of Memory crash, to CPU exhaustion affecting server availability.
More technical details can be found in HTTP/2 CONTINUATION Flood: Technical Details post.
Affected projects
The maintainers of the following projects confirmed vulnerability (alphabetical order). Check respective security advisories for more information.
Show projects which inherited the vulnerabilityHide projects which inherited the vulnerability: projects using an affected server or importing an affected package. The list is not comprehensive.
| Project | Confirmed | Affected Versions | CVE ID | Links |
|---|---|---|---|---|
| amphp/http | 2024-03-11 | >= 2.0.0 && <= 2.1.0, <= 1.7.2 | CVE-2024-2653 | Advisory |
| Apache HTTP Server (httpd) | 2024-02-23 | 2.4.17-2.4.58 | CVE-2024-27316 | Advisory |
| Apache Tomcat | 2024-01-25 | <=11.0.0-M16, <=10.1.18, <=9.0.85, 8.5.0-8.5.98 | CVE-2024-24549 | Advisory* |
| ↳ cPanel | 2024-04-05 | Forum | ||
| ↳ Cisco CSPC | 2024-04-29 | Advisory | ||
| ↳ Cisco NLS | 2024-04-29 | Advisory | ||
| ↳ Easy Apache | 2024-04-09 | Advisory | ||
| ↳ IBM Integration Bus | 2024-04-05 | Advisory | ||
| ↳ NetApp | 2024-04-03 | Advisory | ||
| Apache Traffic Server | 2024-03-29 | 8.0.0-8.1.9, 9.0.0-9.2.3 | CVE-2024-31309 | Advisory |
| Envoy proxy (oghttp) | 2024-02-27 | 1.29.0, 1.29.1 | CVE-2024-27919 | Advisory |
| Envoy proxy (nghttp2) | 2024-02-27 | <=1.29.2 | CVE-2024-30255 | Advisory |
| ↳ Arista | 2024-04-03 | Advisory | ||
| Golang | 2024-01-10 | <=1.20, <=1.21.8, <=1.22.1 | CVE-2023-45288** | Advisory |
| ↳ Arista | 2024-04-03 | Advisory | ||
| ↳ Caddy | 2024-04-04 | Issue | ||
| ↳ etcd | 2024-04-04 | Issue | ||
| ↳ Gitea | 2024-04-05 | PR | ||
| ↳ git-lfs | 2024-05-07 | Advisory | ||
| ↳ Google Cloud | 2024-04-03 | Advisory | ||
| ↳ gRPC | 2024-04-03 | Commit | ||
| ↳ IBM Event Streams | 2024-04-25 | Advisory | ||
| ↳ Moby | 2024-04-04 | Commit | ||
| ↳ Kubernetes | 2024-04-03 | Issue | ||
| ↳ Traefik | 2024-04-15 | Advisory | ||
h2 Rust crate |
2024-03-04 | Advisory | ||
| IBM WebSphere | 2024-04-23 | 18.0.0.2 - 24.0.0.4 | CVE-2024-27268 | Advisory |
| Mozilla Firefox | 2024-04-17 | <125 | CVE-2024-3302 | Advisory |
| Mozilla Thunderbird | 2024-04-17 | CVE-2024-3302 | ||
| nghttp2 | 2024-03-08 | <=1.60.0 | CVE-2024-28182 | Advisory |
| ↳ Arista | 2024-04-03 | Advisory | ||
| Node.js | 2024-01-15 | <=18.20.0, <=20.12.0, <=21.7.1 | CVE-2024-27983 | Advisory |
| ↳ IBM BAWCE | 2024-05-10 | Advisory | ||
| ↳ F5 BIG-IP | 2024-05-07 | Advisory | ||
| Tempesta FW | 2024-03-16 | 0.7.0 | CVE-2024-2758 | |
| █████████*** | - | - | - | |
| █████████ | - | - | - |
CONTINUATION Flood but was revealed by an exploit for this vulnerability. Because of this Tomcat team decided to publish a new release before embargo end date.** Golang team used an allocated-but-unused CVE ID left over from 2023, probably by mistake.
*** Projects affected that have not publicly confirmed it yet are currently hidden.
NOT affected: Nginx, Jetty, HAProxy, NetScaler, Varnish, Cloudflare.
Mitigation
Upgrade affected software to the latest version that contains the fix for this vulnerability. If no fix is available consider temporarily disabling HTTP/2 on the server.
Comparison to HTTP/2 Rapid Reset
Similarly to HTTP/2 Rapid Reset, CONTINUATION Flood can cause Denial of Service on an affected server. There are, however, a lot of differences which make CONTINUATION Flood a more severe attack technique:
- Rapid Reset used a combination of
HEADERS(withEND_STREAMandEND_HEADERSflags set) andRST_STREAMframes which means that standard mitigations like rate limiting could at least limit the damage. Also, the server admin would see a lot of inbound server requests and be alerted. DuringCONTINUATIONFlood attack not a single request is made (noEND_HEADERSflag)! Admins do not see any requests in the logs! - In many implementations, just one TCP connection was enough to crash the server (and in some cases with a very small amount of data sent) during the
CONTINUATIONFlood attack. On contrary, Rapid Reset was used in DDoS attacks (in most cases using a botnet was required for an attack to be successful). - Rapid Reset was exploited in the wild (check Cloudflare and Google posts). The
CONTINUATIONFlood was reported to CERT/CC so vendors were able to coordinate code fixes to prevent serious damage.
Comparison to older HTTP/2 vulnerabilities can be found in HTTP/2 CONTINUATION Flood: Technical Details post.
Is it a bug in HTTP/2 protocol?
It is an implementation bug in multiple HTTP/2 implementations. RFC9113 in section “10.5.1. Limits on Field Block Size” mentions multiple security issues that may arise if CONTINUATION frames are not handled correctly. At the same time, it does not mention a specific case in which CONTINUATION frames are sent without the final END_HEADERS flag which can have repercussions on affected servers.
Timeline
- 2024-01-05: Issue discovered by Bartek Nowotarski.
- 2024-01-08: Multiple reports sent to vendors.
- 2024-01: Confirmations from Golang, Node.js, Apache Tomcat teams.
- 2024-01-25: Report sent to CERT/CC.
- 2024-02-14: Invitation to participate in vulnerability coordination from CERT/CC. Multiple vendors join.
- 2024-02: Confirmations from Apache httpd, Envoy teams.
- 2024-03: Confirmations from Apache Traffic Server, nghttp2, amphp, Tempesta teams.
- 2024-04-03: Embargo on vulnerability information ends.
- 17:20 UTC: CERT/CC publishes a Vulnerability Note.
- 20:06 UTC: Topic started on oss-sec mailing list.
- 2024-04-04: National CERTs/CSIRTs (Spain, Romania, Italy, Japan, Belgium, Singapore, France) warn about the vulnerability.
- 2024-04-08: CISA.gov includes
CONTINUATIONFlood in the weekly Vulnerability Summary. - 2024-04-16: The vulnerability mentioned in DDoS threat report for 2024 Q1 by Cloudflare.
- 2024-04-17: Mozilla Firefox vulnerable to HTTP/2
CONTINUATIONFlood. - 2024-06-05: Presented “HTTP/2
CONTINUATIONFlood” at the M3AAWG General Meeting in Vienna. - 2024-10-04:
CONTINUATIONFlood mentioned in Radware’s “H1 2024 Global Threat Analysis”.
Technical Details
More technical details can be found in HTTP/2 CONTINUATION Flood: Technical Details post.
In the news
- Hacker News - #1 link for hours, thank you!
- Cup o’ Go podcast - great explanation of the bug in less than 10 minutes.
- SecurityWeek
- Bleeping Computer
- DDoS threat report for 2024 Q1