CVE-2024-27316
📋 TL;DR
This vulnerability in nghttp2's HTTP/2 implementation allows memory exhaustion attacks when clients send excessive headers. Attackers can cause denial of service by overwhelming server memory. Affects systems using nghttp2 library for HTTP/2 support, including Apache HTTP Server and Apple products.
💻 Affected Systems
- Apache HTTP Server
- Apple products using nghttp2
- Other software using nghttp2 library
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Ontap by Netapp
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage due to memory exhaustion, potentially affecting multiple services on the same host
Likely Case
Denial of service affecting HTTP/2 enabled services, requiring restart to recover
If Mitigated
Minimal impact with proper rate limiting and memory monitoring
🎯 Exploit Status
Simple to exploit with HTTP/2 client tools. Proof of concept available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache 2.4.59, Apple security updates 2024
Vendor Advisory: https://httpd.apache.org/security/vulnerabilities_24.html
Restart Required: Yes
Instructions:
1. Update Apache to version 2.4.59 or later. 2. Apply Apple security updates for affected products. 3. Restart affected services after patching.
🔧 Temporary Workarounds
Disable HTTP/2
allTemporarily disable HTTP/2 protocol to mitigate vulnerability
In Apache: Protocols h2 h2c http/1.1 -> Protocols http/1.1
Limit HTTP/2 header size
allConfigure smaller header limits to reduce memory impact
In Apache: LimitRequestFields 100
LimitRequestFieldSize 8190
🧯 If You Can't Patch
- Implement rate limiting for HTTP/2 connections
- Deploy WAF with HTTP/2 anomaly detection
🔍 How to Verify
Check if Vulnerable:
Check Apache version with 'httpd -v' and verify if between 2.4.17-2.4.58 with HTTP/2 enabledCheck Version:
httpd -vVerify Fix Applied:
Verify Apache version is 2.4.59+ and check HTTP/2 is functioning normally📡 Detection & Monitoring
Log Indicators:
- Excessive 413 responses
- Memory exhaustion errors
- HTTP/2 connection resets
Network Indicators:
- High volume of HTTP/2 connections with large headers
- Abnormal header patterns
SIEM Query:
source="apache" AND (status=413 OR "memory" OR "HTTP/2")🔗 References
- http://seclists.org/fulldisclosure/2024/Jul/18
- http://www.openwall.com/lists/oss-security/2024/04/04/4
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://support.apple.com/kb/HT214119
- https://www.openwall.com/lists/oss-security/2024/04/03/16
- http://seclists.org/fulldisclosure/2024/Jul/18
- http://www.openwall.com/lists/oss-security/2024/04/04/4
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FO73U3SLBYFGIW2YKXOK7RI4D6DJSZ2B/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIUBKSCJGPJ6M2U63V6BKFDF725ODLG7/
- https://security.netapp.com/advisory/ntap-20240415-0013/
- https://support.apple.com/kb/HT214119
- https://www.kb.cert.org/vuls/id/421644
- https://www.openwall.com/lists/oss-security/2024/04/03/16
