HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server. Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected. Users can set a new setting (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per minute. ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in previous releases. Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server.
    Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected. Users can set a new setting     (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per     minute. ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in     previous releases. Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue.
    (CVE-2024-31309)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-111a8a624b advisory.

    Update to upstream 9.2.4, resolves CVE-2024-31309 (CONTINUATION frames DoS)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3799 advisory.

    - -------------------------------------------------------------------------     Debian LTS Advisory DLA-3799-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                          Adrian Bunk     April 28, 2024                                https://wiki.debian.org/LTS
    - -------------------------------------------------------------------------

    Package        : trafficserver     Version        : 8.1.7-0+deb10u4     CVE ID         : CVE-2024-31309     Debian Bug     : 1068417

    Potential DoS attacks have been fixed by rate limiting     HTTP/2 CONTINUATION frames in Apache Traffic Server,     an HTTP/1.1 and HTTP/2 compliant caching proxy server.

    For Debian 10 buster, this problem has been fixed in version     8.1.7-0+deb10u4.

    We recommend that you upgrade your trafficserver packages.

    For the detailed security status of trafficserver please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/trafficserver

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 / 12 host has packages installed that are affected by a vulnerability as referenced in the dsa-5659 advisory.

  - HTTP/2 CONTINUATION DoS attack can cause Apache Traffic Server to consume more resources on the server.
    Version from 8.0.0 through 8.1.9, from 9.0.0 through 9.2.3 are affected. Users can set a new setting     (proxy.config.http2.max_continuation_frames_per_minute) to limit the number of CONTINUATION frames per     minute. ATS does have a fixed amount of memory a request can use and ATS adheres to these limits in     previous releases. Users are recommended to upgrade to versions 8.1.10 or 9.2.4 which fixes the issue.
    (CVE-2024-31309)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-b1e16b4335 advisory.

    Update to upstream 9.2.4, resolves CVE-2024-31309 (CONTINUATION frames DoS)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-d0acf8d109 advisory.

    Update to upstream 9.2.4, resolves CVE-2024-31309 (CONTINUATION frames DoS)

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
247961	Linux Distros Unpatched Vulnerability : CVE-2024-31309	Nessus	Misc.	high
194705	Fedora 40 : trafficserver (2024-111a8a624b)	Nessus	Fedora Local Security Checks	high
194430	Debian dla-3799 : trafficserver - security update	Nessus	Debian Local Security Checks	high
193316	Debian dsa-5659 : trafficserver - security update	Nessus	Debian Local Security Checks	high
193237	Fedora 39 : trafficserver (2024-b1e16b4335)	Nessus	Fedora Local Security Checks	high
193236	Fedora 38 : trafficserver (2024-d0acf8d109)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2024-31309

high

Tenable Plugins

high

high

high

high

high

high