CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames
Published Mar 6, 2024
·Updated
Accounts. The issue was addressed with improved checks.
Credit
Yeto, IES Red Team(ByteDance), Linwz(DEVCORE), Csaba Fitzl@@theevilbit(Kandji), Mickey Jin@@patch1t, Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), CertiK SkyFall Team, D4m0n, Amir Bazine(CrowdStrike Counter Adversary Operations), Karsten König(CrowdStrike Counter Adversary Operations), CVE-2024-2004, CVE-2024-2379, CVE-2024-2398, CVE-2024-2466, an anonymous researcher, Yann Gascuel(Alter Solutions), w0wbox, CVE-2023-6277, CVE-2023-52356, Yisumi, Junsung Lee(Trend Micro Zero Day Initiative), (CrowdStrike Counter Adversary Operations), Gandalf4a, Wang Yu(Cyberserval), Ye Zhang@@VAR10CK(Baidu Security), sqrtpwn, Minghao Lin(Zhejiang University), Jiaxun Zhu(Zhejiang University), Patrick Wardle(DoubleYou), CVE-2024-40805, Rodolphe BRUNETTI@@eisw0lf, Adam M., CVE-2024-6387, Pedro Tôrres@@t0rr3sp3dr0, Zhongquan Li@@Guluisacat(Dawn Security Lab of JingDong), Mickey Jin@@patch1t(Kandji), (Kandji), Mateen Alinaghi, Claudio Bozzato(Cisco Talos), Francesco Benvenuto(Cisco Talos), Csaba Fitzl@@theevilbit(Offensive Security), Yadhu Krishna M(Cyber Security At Suma Soft Pvt), Narendra Bhati(Cyber Security At Suma Soft Pvt), Manager(Cyber Security At Suma Soft Pvt), Pune (India), Wojciech Regula(SecuRing), (Dawn Security Lab of JingDong), Kirin@@Pwnrin, Joshua Jones, Jiwon Park, Marcio Almeida(Tanto Security), Bistrit Dahal, Srijan Poudel, Jiahui Hu (梅零落)(NorthSea), Meng Zhang (鲸落)(NorthSea), Arsenii Kostromin (0x3c3e), ajajfxhj, Huang Xilin(Ant Group Light), Maksymilian Motyl, Johan Carlsson (joaxcar), Seunghyun Lee@@0x10n(KAIST Hacking Lab working with Trend Micro Zero Day Initiative), CVE-2024-4558, Matthew Butler, Gary Kwong, Andreas Jaegersberger, Ro Achterberg
Affected Software
16 affected componentsFixes available
Apple macOS Sonoma<14.6
14.6
debian/apache2
2.4.62-1~deb11u12.4.62-1~deb11u22.4.62-1~deb12u22.4.63-1
Apache HTTP Server>=2.4.17<2.4.59
Fedoraproject Fedora=38
Fedoraproject Fedora=39
Fedoraproject Fedora=40
NetApp Ontap=9
IBM R10.0<=10.1.3.0
10.0.245.0
IBM R9.4<=89.42.18.0
89.41.25.0
89.40.83.0
IBM R9.3<=89.33.52.0
89.33.45.0
redhat/httpd<2.4.59
2.4.59
Microsoft azl3 mod_http2 2.0.29-3
Microsoft azl3 httpd 2.4.61-1
Microsoft azl3 httpd 2.4.58-4
Microsoft cbl2 httpd 2.4.58-1
Microsoft cbl2 httpd 2.4.59-1
Remediation
Event History
Mar 6, 2024
Data Sourced
via Red Hat·09:33 PM
DescriptionSeverityAffected Software
Apr 4, 2024
CVE Published
via MITRE·07:21 PM
Data Sourced
via MITRE·07:21 PM
DescriptionWeakness
Data Sourced
via NVD·08:15 PM
DescriptionSeverityWeaknessAffected Software
Apr 27, 2024
Data Sourced
via Microsoft·07:00 AM
DescriptionSeverityWeakness
Data Sourced
via Microsoft·07:00 AM
Affected Software
Updated
via Microsoft·07:00 AM
DescriptionSeverity
Jun 26, 2024
Data Sourced
via Launchpad·05:58 PM
Description
Sep 14, 2024
Data Sourced
via Ubuntu·06:09 PM
RemedyDescriptionSeverityAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2024-27316?
The severity of CVE-2024-27316 has not been explicitly classified, but it affects multiple platforms including Apache HTTP Server and macOS.
2
How do I fix CVE-2024-27316?
To fix CVE-2024-27316, upgrade Apache HTTP Server to version 2.4.62 or later, or update macOS to version 14.6 or later.
3
Which software versions are affected by CVE-2024-27316?
CVE-2024-27316 affects Apache HTTP Server versions from 2.4.17 to before 2.4.59, and macOS versions up to 14.6.
4
Is CVE-2024-27316 specific to any operating systems?
Yes, CVE-2024-27316 affects multiple operating systems including Red Hat, Fedora, and Apple's macOS.
5
What should I do if I cannot upgrade to the fixed version for CVE-2024-27316?
If an upgrade is not possible, consider implementing temporary mitigation strategies such as adjusting server configurations to limit header sizes.