cdk-from-cfn icon indicating copy to clipboard operation
cdk-from-cfn copied to clipboard

Published 20 hours ago verified publisher icon cdklabs

RUSTSEC-2024-0332: Degradation of service in h2 servers with CONTINUATION Flood

Open cdklabs-automation opened this issue 9 months ago • 0 comments

Degradation of service in h2 servers with CONTINUATION Flood

Details
Package h2
Version 0.3.21
Date 2024-04-03
Patched versions ^0.3.26,>=0.4.4

An attacker can send a flood of CONTINUATION frames, causing h2 to process them indefinitely. This results in an increase in CPU usage.

Tokio task budget helps prevent this from a complete denial-of-service, as the server can still respond to legitimate requests, albeit with increased latency.

More details at "https://seanmonstar.com/blog/hyper-http2-continuation-flood/.

Patches available for 0.4.x and 0.3.x versions.

See advisory page for additional details.

cdklabs-automation avatar May 11 '24 00:05 cdklabs-automation