Apache HTTP Server Memory Allocation Vulnerability in mod_http2 Leading to Denial-of-Service

A vulnerability in Apache HTTP Server's mod_http2 module allows for denial-of-service attacks by exhausting memory resources. This issue arises from improper handling of HTTP/2 requests, where maliciously crafted headers can cause the server to allocate excessive memory, leading to crashes or degraded performance. The vulnerability affects Apache HTTP Server versions 2.4.17 prior to 2.4.67.

Impact

Exploitation of this vulnerability causes memory exhaustion, leading to a denial-of-service condition where the server crashes or becomes unresponsive.

Reproduction

The vulnerability can be reproduced by sending HTTP/2 requests that include large or excessive continuation frames. This can be done using a custom HTTP/2 client that manipulates the flow control windows on streams, effectively blocking server threads and causing worker starvation. Alternatively, the vulnerability can be triggered by flooding a connection with requests and not reading the responses, similar to a 'slow loris' attack.

Remediation

Users are advised to upgrade to Apache HTTP Server version 2.4.68, which addresses this vulnerability.