An HTTP/2 CONTINUATION frames flood may lead to out of memory (OOM) on Tempesta FW host.
Impact
This is (D)DoS vulnerability, which impacts any Tempesta FW installations prior 0.7.1 especially not using HTTP rate limits
configurations.
Patches
The versions after 0.7.1 and the current development branch (default) have fixes for empty HTTP/2 frames and default rate limits, which prevent the OOM.
Binary packages for 0.7.1 are available here.
Workarounds
Tempesta FW provides set of rate limits, such as limiting the total size of headers http_max_header_list_size, the number of headers http_header_cnt, the number of concurrent HTTP/2 streams max_concurrent_streams. The rate limits are recommended to mitigate the attacks targeting HTTP/2 states keeping. But the limits aren't enabled by default and to be useful in real workloads should be much larger than the number of allowed empty CONTINUATION frames (as well as other empty frames).
References
CVE-2024-2758
An HTTP/2 CONTINUATION frames flood may lead to out of memory (OOM) on Tempesta FW host.
Impact
This is (D)DoS vulnerability, which impacts any Tempesta FW installations prior 0.7.1 especially not using HTTP rate limits
configurations.
Patches
The versions after 0.7.1 and the current development branch (default) have fixes for empty HTTP/2 frames and default rate limits, which prevent the OOM.
Binary packages for 0.7.1 are available here.
Workarounds
Tempesta FW provides set of rate limits, such as limiting the total size of headers
http_max_header_list_size, the number of headershttp_header_cnt, the number of concurrent HTTP/2 streamsmax_concurrent_streams. The rate limits are recommended to mitigate the attacks targeting HTTP/2 states keeping. But the limits aren't enabled by default and to be useful in real workloads should be much larger than the number of allowed empty CONTINUATION frames (as well as other empty frames).References
CVE-2024-2758