Bug 2264290 (CVE-2024-24989)

Summary: CVE-2024-24989 nginx: NULL pointer dereference in HTTP/3
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: epacific, felix, hhorak, jcammara, jhardy, jneedle, jobarker, jorton, luhliari, mabashia, simaishi, smcdonal, teagle, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nginx 1.25.4 Doc Type: ---
Doc Text:
A flaw was found in the nginx HTTP/3 implementation. This issue may allow an attacker to use a specially crafted QUIC session to trigger a NULL pointer dereference error, causing a worker process to crash, leading to a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2264293, 2264294, 2264295, 2264296, 2264297    
Bug Blocks: 2264284    

Description Robb Gatica 2024-02-14 22:20:36 UTC 
Description:
When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate.

Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. The issues affect nginx compiled with the ngx_http_v3_module (not compiled by default) if the "quic" option of the "listen" directive is used in a configuration file. For more information, refer to  Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html

References:
https://my.f5.com/manage/s/article/K000138444
https://my.f5.com/manage/s/article/K000138445
https://nginx.org/en/security_advisories.html

The issue affects nginx 1.25.0 - 1.25.3.
The issue is fixed in nginx 1.25.4.
Comment 1 Robb Gatica 2024-02-14 22:26:10 UTC 
Created nginx tracking bugs for this issue:

Affects: epel-all [bug 2264293]
Affects: fedora-all [bug 2264295]


Created nginx:1.20/nginx tracking bugs for this issue:

Affects: fedora-all [bug 2264296]


Created nginx:mainline/nginx tracking bugs for this issue:

Affects: epel-all [bug 2264294]
Affects: fedora-all [bug 2264297]
Comment 3 Felix Kaechele 2024-02-18 19:50:02 UTC 
Fedora doesn't ship HTTP/3 support (due to being on the 1.20 stream).
EPEL doesn't have modules anymore.

I'm trying to push an update to the F38 Modular repos but the Module Build Service is having its usual issues.
Comment 4 Felix Kaechele 2024-02-21 17:22:39 UTC 
The module build system seems to be broken since December: https://release-engineering.github.io/mbs-ui/modules

So the F38 Modular build of the updated version is not being built. I will ping the Fedora Infra folks to see if we can give this one last poke.