LiteSpeed Not Vulnerable to HTTP/2 Continuation Flood

LiteSpeed Not Vulnerable to HTTP/2 CONTINUATION Flood Vulnerability

Here is what you need to know about the HTTP/2 CONTINUATION Flood vulnerability, specifically CVE-2024-27316, and LiteSpeed:

  • The vulnerability allows an attack that uses unbounded header buffering to overwhelm servers
  • LiteSpeed servers are not vulnerable to HTTP/2 CONTINUATION Flood

What is Continuation Flood?

The HTTP/2 CONTINUATION Flood vulnerability was announced yesterday as Vulnerability Note #421644 published by the CERT Coordination Center.

The note states:

An attacker that can send packets to a target server can send a stream of CONTINUATION frames that will not be appended to the header list in memory but will still be processed and decoded by the server or will be appended to the header list, causing an out of memory (OOM) crash.

The note goes on to specify a number of CVE listings specific to certain HTTP/2 implementations, including the following:

  • CVE-2024-27983 (node.js)
  • CVE-2024-27919 and CVE-2024-30255 (Envoy)
  • CVE-2024-2758 (Tempesta)
  • CVE-2024-2653 (amphp/http)
  • CVE-2023-45288 (Go)
  • CVE-2024-28182 (nghttp2)
  • CVE-2024-31309 (Apache Traffic Server)

CVE-2024-27316 is of particular interest because it applies to the Apache Httpd implementation:

HTTP/2 CONTINUATION frames without the END_HEADERS flag set can be sent in a continuous stream by an attacker to an Apache Httpd implementation, which will not properly terminate the request early.

LiteSpeed Web Server is an Apache drop-in replacement, but LiteSpeed does not share any code with Apache.

LiteSpeed’s from-the-ground-up implementation of Apache-compatible systems means that LiteSpeed is usually not subject to the same vulnerabilities as Apache. That is indeed the case with the HTTP/2 CONTINUATION Flood vulnerability.

How are LiteSpeed Users Protected?

LiteSpeed Web Server, OpenLiteSpeed, and LiteSpeed Web ADC’s HTTP/2 implementation applies a 64K upper limit for total header buffering. If the limit is reached, the connection is closed.

Attackers attempting to exploit this vulnerability on LiteSpeed Web Server will find their efforts thwarted after a mere 64K.

Related Posts