Security Advisory 0094 PDF Date: April 3, 2024 Revision | Date | Changes —|—|— 1.0 | April 3, 2024 | Initial release Description Arista Networks is providing this security update in response to the following publicly disclosed security vulnerabilities related to HTTP/2 CONTINUATION frames. This set of vulnerabilities is the result of some HTTP/2 implementations that do not properly limit or sanitize the amount of CONTINUATION frames sent in a single stream. An attacker that can send packets to a target server can send a stream of CONTINUATION frames, which can result in an out-of-memory crash, enabling an attacker to launch a denial of service (DoS) attack against a target service using a vulnerable implementation. The following CVEs are tracked as part of this announcement: CVE-2023-45288 tracks the Go packages net/http and net/http2 packages do not limit the number of CONTINUATION frames read for an HTTP/2 request. CVE-2024-28182 tracks the nghttp2 library will continue to receive CONTINUATION frames and will not callback to the application to allow visibility into this information before it resets the stream. CVE-2024-27316 tracks the Apache Httpd implementation does not properly append header information in memory, causing an OOM crash. CVE-2024-31309 tracks the Apache Traffic Server consuming more resources on the server in HTTP/2 CONTINUATION DoS attack. CVE-2024-27919 tracks the Envoy's HTTP/2 codec does not reset a request when header map limits have been…Read More