Bug 1844929 (CVE-2020-11080)
| Summary: | CVE-2020-11080 nghttp2: overly large SETTINGS frames can lead to DoS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Mark Cooper <mcooper> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | cmoore, csutherl, csvoboda, gmccullo, gzaronik, hhorak, jclere, jorton, jwon, kaycoth, kconner, kdudka, krathod, lmorse, luhliari, mbabacek, mbenatto, msekleta, mturk, nodejs-maint, pjindal, rcernich, sdunning, svashisht, thoger, zsvetlik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | nghttp2 1.41.0, node 10.21.0, node 12.18.0, node 14.4.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A resource consumption vulnerability was found in nghttp2. This flaw allows an attacker to repeatedly construct an overly large HTTP/2 SETTINGS frame with a length of 14,400 bytes that causes excessive CPU usage, leading to a denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-06-11 11:20:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1844930, 1844931, 1844932, 1845298, 1845299, 1845300, 1845301, 1845302, 1845303, 1845304, 1845305, 1845306, 1845307, 1845308, 1845309, 1845310, 1845311, 1845312, 1845313, 1845314, 1845315, 1845316, 1845317, 1845318, 1845319, 1847481, 1847482, 1847483, 1847484, 1847485, 1862269 | ||
| Bug Blocks: | 1844928 | ||
|
Description
Mark Cooper
2020-06-08 04:21:43 UTC
External References: https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr Created nghttp2 tracking bugs for this issue: Affects: epel-7 [bug 1844931] Affects: epel-8 [bug 1844932] Affects: fedora-all [bug 1844930] Acknowledgments: Name: the Envoy security team (In reply to Mark Cooper from comment #2) > Created nghttp2 tracking bugs for this issue: > > Affects: epel-7 [bug 1844931] > Affects: epel-8 [bug 1844932] nghttp2 is not in epel-8. Please consider creating a rhel-8 tracking bug instead. All LTS versions of Node.js in Fedora were updated to latest releases providing nghttp2-1.41.0 https://src.fedoraproject.org/rpms/nodejs/c/fa3bbd7aedac586123f61db60a4bc2b20177503d?branch=10 https://src.fedoraproject.org/rpms/nodejs/c/b031e5cbac070ad813f7e7723a122287a451aa7e?branch=12 https://src.fedoraproject.org/rpms/nodejs/c/78887f1479112d6d5671c012b841411e2b89758f?branch=14 In reply to comment #8: > (In reply to Mark Cooper from comment #2) > > Created nghttp2 tracking bugs for this issue: > > > > Affects: epel-7 [bug 1844931] > > Affects: epel-8 [bug 1844932] > > nghttp2 is not in epel-8. Please consider creating a rhel-8 tracking bug > instead. I believe @mbenatto has this done this. Thanks This issue has been addressed in the following products: OpenShift Service Mesh 1.1 Via RHSA-2020:2523 https://access.redhat.com/errata/RHSA-2020:2523 This issue has been addressed in the following products: OpenShift Service Mesh 1.0 Via RHSA-2020:2524 https://access.redhat.com/errata/RHSA-2020:2524 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11080 What is the ETA for this fix with RHEL 8 and NodeJS 12? We have a release deadline for July and this CVE is needed. Created nodejs:10/nghttp2 tracking bugs for this issue: Affects: fedora-all [bug 1847481] Created nodejs:11/nghttp2 tracking bugs for this issue: Affects: fedora-all [bug 1847482] Created nodejs:12/nghttp2 tracking bugs for this issue: Affects: fedora-all [bug 1847483] Created nodejs:13/nghttp2 tracking bugs for this issue: Affects: fedora-all [bug 1847484] Created nodejs:14/nghttp2 tracking bugs for this issue: Affects: fedora-all [bug 1847485] This issue has been addressed in the following products: JBoss Core Services on RHEL 6 JBoss Core Services on RHEL 7 Via RHSA-2020:2644 https://access.redhat.com/errata/RHSA-2020:2644 This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2020:2646 https://access.redhat.com/errata/RHSA-2020:2646 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2755 https://access.redhat.com/errata/RHSA-2020:2755 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2020:2784 https://access.redhat.com/errata/RHSA-2020:2784 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2823 https://access.redhat.com/errata/RHSA-2020:2823 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:2850 https://access.redhat.com/errata/RHSA-2020:2850 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2847 https://access.redhat.com/errata/RHSA-2020:2847 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2849 https://access.redhat.com/errata/RHSA-2020:2849 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2848 https://access.redhat.com/errata/RHSA-2020:2848 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2852 https://access.redhat.com/errata/RHSA-2020:2852 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:2895 https://access.redhat.com/errata/RHSA-2020:2895 How is this closed when nodejs:14/nodejs is not showed as patched? This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:3042 https://access.redhat.com/errata/RHSA-2020:3042 I'm not tracking. The errata link posted is for node10. The https://access.redhat.com/security/cve/CVE-2020-11080 page still shows both node10 and node14 affected with no fix. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:3084 https://access.redhat.com/errata/RHSA-2020:3084 |