CVE-2024-27316: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames
First published: Wed Mar 06 2024(Updated: )
Accounts. The issue was addressed with improved checks.
Credit: Yeto IES Red Team ByteDanceCsaba Fitzl @theevilbit KandjiMickey Jin @patch1t Michael DePlante @izobashi Trend Micro Zero Day InitiativeCertiK SkyFall Team D4m0n Amir Bazine CrowdStrike Counter Adversary OperationsKarsten König CrowdStrike Counter Adversary OperationsCVE-2024-2004 CVE-2024-2379 CVE-2024-2398 CVE-2024-2466 an anonymous researcher Yann Gascuel Alter Solutionsw0wbox CVE-2023-6277 CVE-2023-52356 Yisumi Junsung Lee Trend Micro Zero Day Initiative CrowdStrike Counter Adversary OperationsGandalf4a Ye Zhang @VAR10CK Baidu Securitysqrtpwn Minghao Lin Zhejiang UniversityJiaxun Zhu Zhejiang UniversityPatrick Wardle DoubleYouCVE-2024-40805 Rodolphe BRUNETTI @eisw0lf Adam M. CVE-2024-6387 Zhongquan Li @Guluisacat Dawn Security Lab of JingDongMickey Jin @patch1t Kandji KandjiMateen Alinaghi Claudio Bozzato Cisco TalosFrancesco Benvenuto Cisco TalosCsaba Fitzl @theevilbit Offensive SecurityYadhu Krishna M Cyber Security At Suma Soft PvtNarendra Bhati Cyber Security At Suma Soft PvtManager Cyber Security At Suma Soft PvtPune (India) Wojciech Regula SecuRing Dawn Security Lab of JingDongKirin @Pwnrin Joshua Jones Jiwon Park Marcio Almeida Tanto SecurityBistrit Dahal Srijan Poudel Jiahui Hu (梅零落) NorthSeaMeng Zhang (鲸落) NorthSeaArsenii Kostromin (0x3c3e) Huang Xilin Ant Group LightMaksymilian Motyl Johan Carlsson (joaxcar) Seunghyun Lee @0x10n KAIST Hacking Lab working with Trend Micro Zero Day InitiativeCVE-2024-4558 Matthew Butler Gary Kwong Andreas Jaegersberger Ro Achterberg security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apple macOS | <14.6 | 14.6 |
| redhat/httpd | <2.4.59 | 2.4.59 |
| debian/apache2 | 2.4.62-1~deb11u1 2.4.62-1~deb11u2 2.4.62-1~deb12u2 2.4.63-1 | |
| Apache Http Server | >=2.4.17<2.4.59 | |
| Fedora | =38 | |
| Fedora | =39 | |
| Fedora | =40 | |
| NetApp ONTAP | =9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security.netapp.com/advisory/ntap-20240415-0013/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FO73U3SLBYFGIW2YKXOK7RI4D6DJSZ2B/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QKKDVFWBKIHCC3WXNH3W75WWY4NW42OB/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIUBKSCJGPJ6M2U63V6BKFDF725ODLG7/
- https://httpd.apache.org/security/vulnerabilities_24.html
- http://www.openwall.com/lists/oss-security/2024/04/03/16
- http://www.openwall.com/lists/oss-security/2024/04/04/4
- https://lists.debian.org/debian-lts-announce/2024/05/msg00013.html
- https://launchpad.net/bugs/cve/CVE-2024-27316
- https://www.openwall.com/lists/oss-security/2024/04/03/16
- https://support.apple.com/kb/HT214119
- http://seclists.org/fulldisclosure/2024/Jul/18
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27316
- https://nvd.nist.gov/vuln/detail/CVE-2024-27316
- https://security-tracker.debian.org/tracker/CVE-2024-27316
- https://ubuntu.com/security/CVE-2024-27316
- https://support.apple.com/en-us/HT214119 (Advisory)
- https://www.kb.cert.org/vuls/id/421644
- https://www.openwall.com/lists/oss-security/2024/04/04/4
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2024-27316
- https://github.com/apache/httpd/commit/0d73970ec161300a55b630f71bbf72b5c41f28b9
- https://support.apple.com/en-us/120911 (Advisory)
- https://access.redhat.com/security/cve/CVE-2023-44487
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2273037
- https://access.redhat.com/errata/RHSA-2024:1786
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2274836
- https://access.redhat.com/errata/RHSA-2024:1872
- https://access.redhat.com/errata/RHSA-2024:2564
- https://access.redhat.com/errata/RHSA-2024:2694
- https://access.redhat.com/errata/RHSA-2024:2693
- https://access.redhat.com/errata/RHSA-2024:2891
- https://access.redhat.com/errata/RHSA-2024:2907
- https://access.redhat.com/errata/RHSA-2024:3417
- https://access.redhat.com/errata/RHSA-2024:3402
- https://access.redhat.com/errata/RHSA-2024:4390
- https://access.redhat.com/errata/RHSA-2024:4392
- https://access.redhat.com/errata/RHSA-2024:5145
- https://access.redhat.com/errata/RHSA-2024:5143
- https://access.redhat.com/errata/RHSA-2024:5144
- https://access.redhat.com/errata/RHSA-2024:5147
- https://bugzilla.redhat.com/show_bug.cgi?id=2268277
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2024-40804
- CVE-2023-38709
- CVE-2024-24795
- CVE-2024-27316
- CVE-2024-40783
- CVE-2024-40774
- CVE-2024-40814
- CVE-2024-40775
- CVE-2024-27877
- CVE-2024-27878
- CVE-2024-40799
- CVE-2024-27873
- CVE-2024-2004
- CVE-2024-2379
- CVE-2024-2398
- CVE-2024-2466
- CVE-2024-40827
- CVE-2024-40815
- CVE-2024-40795
- CVE-2023-6277
- CVE-2023-52356
- CVE-2024-40806
- CVE-2024-40777
- CVE-2024-40784
- CVE-2024-27863
- CVE-2024-40816
- CVE-2024-40788
- CVE-2024-40803
- CVE-2024-40805
- CVE-2024-40832
- CVE-2024-40796
- CVE-2024-6387
- CVE-2024-40781
- CVE-2024-40802
- CVE-2024-40823
- CVE-2024-27882
- CVE-2024-27883
- CVE-2024-40778
- CVE-2024-40800
- CVE-2023-27952
- CVE-2024-40817
- CVE-2024-40824
- CVE-2024-27871
- CVE-2024-27881
- CVE-2024-40821
- CVE-2024-40798
- CVE-2024-27872
- CVE-2024-27862
- CVE-2024-40833
- CVE-2024-40835
- CVE-2024-40836
- CVE-2024-40807
- CVE-2024-40834
- CVE-2024-40809
- CVE-2024-40812
- CVE-2024-40787
- CVE-2024-40793
- CVE-2024-40818
- CVE-2024-40822
- CVE-2024-40828
- CVE-2024-40811
- CVE-2024-40776
- CVE-2024-40782
- CVE-2024-40779
- CVE-2024-40780
- CVE-2024-40785
- CVE-2024-40789
- CVE-2024-4558
- CVE-2024-40794
- CVE-2024-44306
- CVE-2024-44307
- CVE-2024-44141
- CVE-2024-40810
- CVE-2024-44205
- CVE-2024-44185
- CVE-2024-44206
Frequently Asked Questions
What is the severity of CVE-2024-27316?
The severity of CVE-2024-27316 has not been explicitly classified, but it affects multiple platforms including Apache HTTP Server and macOS.
How do I fix CVE-2024-27316?
To fix CVE-2024-27316, upgrade Apache HTTP Server to version 2.4.62 or later, or update macOS to version 14.6 or later.
Which software versions are affected by CVE-2024-27316?
CVE-2024-27316 affects Apache HTTP Server versions from 2.4.17 to before 2.4.59, and macOS versions up to 14.6.
Is CVE-2024-27316 specific to any operating systems?
Yes, CVE-2024-27316 affects multiple operating systems including Red Hat, Fedora, and Apple's macOS.
What should I do if I cannot upgrade to the fixed version for CVE-2024-27316?
If an upgrade is not possible, consider implementing temporary mitigation strategies such as adjusting server configurations to limit header sizes.
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-27316
- agent/title
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/severity
- collector/launchpad-cve
- source/Launchpad
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/trending
- agent/source
- collector/apple-support
- source/Apple
- alias/CVE-2024-24795
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- alias/CVE-2023-38709
- alias/CVE-2024-40783
- alias/CVE-2024-40774
- alias/CVE-2024-40814
- alias/CVE-2024-40775
- alias/CVE-2024-27877
- alias/CVE-2024-27878
- alias/CVE-2024-44306
- alias/CVE-2024-44307
- alias/CVE-2024-40799
- alias/CVE-2024-27873
- alias/CVE-2024-2004
- alias/CVE-2024-2379
- alias/CVE-2024-2398
- alias/CVE-2024-2466
- alias/CVE-2024-40827
- alias/CVE-2024-44141
- alias/CVE-2024-40815
- alias/CVE-2024-40795
- alias/CVE-2023-6277
- alias/CVE-2023-52356
- alias/CVE-2024-40806
- alias/CVE-2024-40777
- alias/CVE-2024-40784
- alias/CVE-2024-40810
- alias/CVE-2024-27863
- alias/CVE-2024-40816
- alias/CVE-2024-40788
- alias/CVE-2024-40803
- alias/CVE-2024-40805
- alias/CVE-2024-40832
- alias/CVE-2024-40796
- alias/CVE-2024-6387
- alias/CVE-2024-40781
- alias/CVE-2024-40802
- alias/CVE-2024-40823
- alias/CVE-2024-27882
- alias/CVE-2024-27883
- alias/CVE-2024-40778
- alias/CVE-2024-40800
- alias/CVE-2023-27952
- alias/CVE-2024-40817
- alias/CVE-2024-40824
- alias/CVE-2024-27871
- alias/CVE-2024-27881
- alias/CVE-2024-40821
- alias/CVE-2024-40798
- alias/CVE-2024-27872
- alias/CVE-2024-27862
- alias/CVE-2024-40833
- alias/CVE-2024-40835
- alias/CVE-2024-40836
- alias/CVE-2024-40807
- alias/CVE-2024-40834
- alias/CVE-2024-40809
- alias/CVE-2024-40812
- alias/CVE-2024-40787
- alias/CVE-2024-40793
- alias/CVE-2024-40818
- alias/CVE-2024-40822
- alias/CVE-2024-44205
- alias/CVE-2024-40828
- alias/CVE-2024-40811
- alias/CVE-2024-40776
- alias/CVE-2024-40782
- alias/CVE-2024-40779
- alias/CVE-2024-40780
- alias/CVE-2024-40785
- alias/CVE-2024-40789
- alias/CVE-2024-4558
- alias/CVE-2024-40794
- alias/CVE-2024-44185
- alias/CVE-2024-44206
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- agent/last-modified-date
- agent/references
- agent/description
- agent/author
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- collector/nvd-cve
- vendor/apple
- canonical/apple macos
- package-manager/redhat
- package-manager/debian
- vendor/apache
- canonical/apache http server
- version/apache http server/2.4.17
- vendor/fedoraproject
- canonical/fedora
- version/fedora/38
- version/fedora/39
- version/fedora/40
- vendor/netapp
- canonical/netapp ontap
- version/netapp ontap/9