HTTP2 bug plagues web servers

A common misconfiguration in popular web servers that support HTTP2 exposes them to low-effort denial-of-service attacks, according to security researcher Bartek Nowotarski.

What Nowotarski calls the Continuation Flood attack is a class of vulnerabilities in HTTP2 protocol implementations.

"A single machine (and in certain instances, a mere single TCP connection or a handful of frames) has the potential to disrupt server availability, with consequences ranging from server crashes to substantial performance degradation," he wrote.

Nowotarski added that attacks “are not visible in HTTP access logs”.

The Continuation frame is used to split header blocks across multiple frames, and the problem arises if an HTTP2 implementation does not limit the number of Continuation frames in a single stream.

“An attacker that can send packets to a target server can send a stream of Continuation frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash," the Carnegie-Mellon CERT offered in this description of the attack.

Nowotarski said the outcome of an attack is implementation-dependent but includes “instant crash after sending a couple of HTTP/2 frames” and CPU exhaustion.

Affected software includes Apache Tomcat (CVE-2023-38709), Golang (CVE-2023-452880), node.js and others.

If fixes are not available, Nowotarski advises system admins to disable HTTP2 support.

HTTP2 is an update to the HTTP protocol and has been in use since 2015.