CVE-2024-39702
📋 TL;DR
This CVE describes a Hash Denial of Service (HashDoS) vulnerability in OpenResty's string hashing function. Attackers can send crafted requests to cause excessive resource consumption during proxy operations, potentially leading to denial of service with relatively few requests. Only OpenResty fork users are affected - standard LuaJIT installations are not vulnerable.
💻 Affected Systems
- OpenResty
📦 What is this software?
Openresty by Openresty
Openresty by Openresty
Openresty by Openresty
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to CPU exhaustion from hash collisions, affecting all proxy operations through OpenResty.
Likely Case
Degraded performance and intermittent service disruptions under targeted attack, requiring restart or load redistribution.
If Mitigated
Minimal impact with proper rate limiting, request filtering, and updated versions.
🎯 Exploit Status
Attack requires sending specially crafted HTTP requests to trigger pathological hash collisions in string interning.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenResty 1.25.3.2
Vendor Advisory: https://openresty.org/en/ann-1025003002.html
Restart Required: Yes
Instructions:
1. Download OpenResty 1.25.3.2 or later from official sources. 2. Replace existing OpenResty installation. 3. Restart all OpenResty services and processes.
🔧 Temporary Workarounds
Rate Limiting
linuxImplement request rate limiting to prevent mass exploitation attempts.
# Using nginx/OpenResty limit_req module
limit_req_zone $binary_remote_addr zone=reqlimit:10m rate=10r/s;
limit_req zone=reqlimit burst=20 nodelay;
Request Filtering
linuxFilter or block requests with unusually long or complex strings in headers/parameters.
# Example nginx config to limit request sizes
client_max_body_size 1M;
large_client_header_buffers 4 8k;
🧯 If You Can't Patch
- Implement strict rate limiting and request size restrictions
- Deploy WAF rules to detect and block hash collision attack patterns
🔍 How to Verify
Check if Vulnerable:
Check OpenResty version: nginx -V 2>&1 | grep -i openrestyCheck Version:
openresty -v 2>&1 | head -1Verify Fix Applied:
Verify version is 1.25.3.2 or later: openresty -v📡 Detection & Monitoring
Log Indicators:
- Unusually high CPU usage spikes
- Increased request processing times
- Multiple requests with similar but varied long strings
Network Indicators:
- Bursts of requests with crafted strings in parameters/headers
- Pattern of requests designed to trigger hash collisions
SIEM Query:
source="nginx-access" AND (uri_length>1000 OR arg_length>500) | stats count by src_ip