CVE-2024-30156: 
Rocky Linux vulnerability analysis and mitigation

CVE-2024-30156, known as the HTTP/2 Broke Window Attack, affects Varnish Cache before 7.3.2 and 7.4.x before 7.4.3 (and before 6.0.13 LTS), and Varnish Enterprise 6 before 6.0.12r6. The vulnerability was discovered on August 24, 2023, and publicly disclosed on March 18, 2024 (Varnish Security).

The vulnerability allows credits exhaustion for an HTTP/2 connection control flow window. An attacker can exploit this by letting the server's HTTP/2 connection control flow window run out of credits indefinitely, preventing progress in the processing of streams and retaining associated resources. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CISA-ADP).

The successful exploitation of this vulnerability can result in a denial of service condition, preventing the server from processing HTTP/2 streams effectively and consuming server resources (Red Hat Security).

If upgrading is not possible, the vulnerability can be mitigated by disabling HTTP/2 support using the command 'varnishadm param.set feature -http2' and removing h2 from the list of protocols in the TLS terminator's ALPN. For updated versions, two mitigations are enabled by default, including a new h2windowtimeout parameter that triggers a reset of 'broke' HTTP/2 streams waiting for control flow window credits from the client, with a default conservative value of 5 seconds (Varnish Security).