Bug 2264574 (CVE-2024-22019)

Summary: CVE-2024-22019 nodejs: reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amctagga, hhorak, jorton, mvanderw
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: node 18.19.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Node.js due to a lack of safeguards on chunk extension bytes. The server may read an unbounded number of bytes from a single connection, which can allow an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2264576, 2264804, 2264805, 2264577, 2264578, 2264806, 2264807, 2265709, 2271423    
Bug Blocks: 2264565    

Description Robb Gatica 2024-02-16 17:30:00 UTC 
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.

This vulnerability affects all users in all active release lines: 18.x, 20.x, and 21.x.
Comment 1 Robb Gatica 2024-02-16 17:33:10 UTC 
References:
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#reading-unprocessed-http-request-with-unbounded-chunk-extension-allows-dos-attacks-cve-2024-22019---high
https://nodejs.org/en/blog/release/v18.19.1
Comment 2 Robb Gatica 2024-02-16 17:37:27 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2264576]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-all [bug 2264577]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-all [bug 2264578]
Comment 4 Sandipan Roy 2024-02-19 04:11:01 UTC 
Created nodejs16 tracking bugs for this issue:

Affects: fedora-all [bug 2264806]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2264804]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2264805]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2264807]
Comment 9 errata-xmlrpc 2024-03-18 10:41:39 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2024:1354 https://access.redhat.com/errata/RHSA-2024:1354
Comment 10 errata-xmlrpc 2024-03-19 17:45:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1424 https://access.redhat.com/errata/RHSA-2024:1424
Comment 11 errata-xmlrpc 2024-03-20 10:00:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1438 https://access.redhat.com/errata/RHSA-2024:1438
Comment 12 errata-xmlrpc 2024-03-20 16:55:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1444 https://access.redhat.com/errata/RHSA-2024:1444
Comment 15 errata-xmlrpc 2024-03-26 09:22:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1510 https://access.redhat.com/errata/RHSA-2024:1510
Comment 16 errata-xmlrpc 2024-04-04 16:07:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1678 https://access.redhat.com/errata/RHSA-2024:1678
Comment 17 errata-xmlrpc 2024-04-08 08:49:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1688 https://access.redhat.com/errata/RHSA-2024:1688
Comment 18 errata-xmlrpc 2024-04-08 09:04:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1687 https://access.redhat.com/errata/RHSA-2024:1687
Comment 19 errata-xmlrpc 2024-04-18 02:08:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1880 https://access.redhat.com/errata/RHSA-2024:1880
Comment 20 errata-xmlrpc 2024-04-22 01:09:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1932 https://access.redhat.com/errata/RHSA-2024:1932
Comment 21 errata-xmlrpc 2024-05-02 07:03:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:2651 https://access.redhat.com/errata/RHSA-2024:2651
Comment 22 errata-xmlrpc 2024-05-09 09:49:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:2793 https://access.redhat.com/errata/RHSA-2024:2793