CVE-2024-24989 is a high-severity vulnerability identified in F5's NGINX Plus product, specifically affecting version R31 when configured to use the HTTP/3 QUIC module. The vulnerability is classified as CWE-476, which corresponds to a NULL Pointer Dereference. This type of flaw occurs when the software attempts to access or dereference a pointer that has a NULL value, leading to unexpected behavior such as application crashes. In this case, certain undisclosed HTTP/3 QUIC requests can cause the NGINX worker processes to terminate unexpectedly. Since NGINX worker processes handle incoming client requests, their termination results in denial of service conditions, impacting availability. It is important to note that the HTTP/3 QUIC module is experimental and not enabled by default, which somewhat limits the exposure surface. The vulnerability does not affect confidentiality or integrity directly but impacts availability by causing service interruptions. The CVSS v3.1 base score is 7.5, reflecting a high severity due to network attack vector, no required privileges, no user interaction, and a direct impact on availability. No known exploits are currently reported in the wild, and no patches have been linked yet. Additionally, versions that have reached End of Technical Support are not evaluated, focusing the concern on supported releases. This vulnerability highlights the risks associated with enabling experimental protocol modules in production environments without thorough security validation.

For European organizations, the primary impact of CVE-2024-24989 is the potential for denial of service (DoS) attacks against web infrastructure running NGINX Plus with the HTTP/3 QUIC module enabled. Organizations relying on NGINX Plus for critical web services, especially those experimenting with or adopting HTTP/3, may experience service outages if attackers send crafted requests triggering the NULL pointer dereference. This can disrupt business operations, degrade user experience, and potentially lead to financial losses or reputational damage. Since HTTP/3 adoption is growing in Europe due to its performance benefits, especially among cloud providers, telecom operators, and large enterprises, the risk is relevant for sectors such as finance, e-commerce, government, and telecommunications. However, the impact is somewhat mitigated by the fact that the vulnerable module is not enabled by default and is experimental, meaning many deployments may not be exposed. Still, organizations enabling HTTP/3 QUIC should consider this vulnerability seriously, as an attacker can exploit it remotely without authentication or user interaction, increasing the attack surface.

European organizations should take the following specific mitigation steps: 1) Immediately audit NGINX Plus deployments to identify if the HTTP/3 QUIC module is enabled, especially on version R31. 2) If HTTP/3 QUIC is not required, disable the module to eliminate exposure. 3) For deployments requiring HTTP/3, monitor F5 and NGINX security advisories closely for patches or updates addressing CVE-2024-24989 and apply them promptly once available. 4) Implement network-level protections such as rate limiting and anomaly detection on HTTP/3 traffic to detect and block suspicious or malformed requests that could trigger the vulnerability. 5) Employ redundancy and failover mechanisms in web infrastructure to minimize service disruption if worker processes terminate unexpectedly. 6) Conduct thorough testing of experimental protocol features in isolated environments before production rollout. 7) Engage with F5 support for guidance on temporary workarounds or configuration changes that may mitigate the issue until patches are released.