Apache HTTP Server Vulnerability Enables Injection of Malicious Headers and HTTP/2 Denial-of-Service


Apache has released updates to address multiple vulnerabilities affecting the Apache HTTP Server, allowing attackers to exploit HTTP/2 for denial-of-service (DoS) attacks and inject malicious headers.

These vulnerabilities pose a significant threat to server operations, leading to disruptions and performance degradation.

One newly identified vulnerability is classified as a CONTINUATION Flood within various HTTP/2 protocol implementations. The issue stems from improper handling of HEADERS and CONTINUATION frames, where a single TCP connection or a small number of frames can severely impact server operations, causing crashes or significant performance issues.

Details of the Addressed Vulnerabilities:

CVE-2024-24795: HTTP Response Splitting in Multiple Modules

This low-severity vulnerability enables HTTP desynchronization attacks by injecting malicious response headers into backend applications across different modules within the Apache HTTP Server. Jianjun Chen and Keran Mu from Tsinghua University and Zhongguancun Laboratory reported this issue.

Affected versions: Apache HTTP Server through 2.4.58

Fix: Users are advised to upgrade to version 2.4.59 to resolve this issue.

CVE-2024-27316: HTTP/2 DoS by Memory Exhaustion on Endless Continuation Frames

This moderate-severity vulnerability causes nghttp2 to temporarily buffer incoming HTTP/2 headers that exceed limits to generate an informative HTTP 413 response, leading to memory exhaustion when a client continuously sends headers.

Reported by researcher Bartek Nowotarski.

Affected versions: Apache HTTP Server through 2.4.58

Fix: Upgrade to version 2.4.59 to mitigate this issue.

CVE-2023-43622: DoS in HTTP/2 with Initial Window Size 0

This low-severity issue allows an attacker to indefinitely block the Apache HTTP Server's handling of an HTTP/2 connection with an initial window size of 0, similar to the "slow loris" attack pattern, exhausting server worker resources.

Reported by professors Heejo Lee and Choongin Lee (Korea University), and professors Sven Dietrich and Isa Jafarov (City University of New York).

Affected versions: Apache HTTP Server from 2.4.55 through 2.4.57

Fix: Upgrade to version 2.4.58 to address this vulnerability.

These vulnerabilities underscore serious risks to internet security. It is crucial to update affected software promptly to the latest version, which includes patches for these vulnerabilities.