Bug 2268277 (CVE-2024-27316, VU#421644.4)
| Summary: | CVE-2024-27316 httpd: CONTINUATION frames DoS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Nick Tait <ntait> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aazores, abishop, adupliak, aileenc, akostadi, amasferr, andrew.slice, anjoseph, ansmith, asatyam, asoldano, ataylor, bbaranow, bdettelb, bmaxwell, bodavis, boliveir, brian.stansberry, caswilli, cbartlet, ccranfor, cdewolf, chazlett, chfoley, cmiranda, darran.lofthouse, dbhole, dhanak, diagrawa, dkreling, dmayorov, doconnor, dosoudil, dpalmer, drichtar, dsimansk, eaguilar, ebaron, ecerquei, eric.wittmann, fjuma, fmariani, fmongiar, gcovolo, gkamathe, gmalinko, gparvin, hhorak, ibek, istudens, ivassile, iweiss, jamacku, janstey, jcantril, jjoyce, jkang, jkoehler, jkoops, jlledo, jnethert, jorton, jpallich, jpechane, jpoth, jprabhak, jrokos, jross, jschluet, jscholz, kaycoth, kingland, kverlaen, kyoshida, lbainbri, lgao, lhh, lmolteni, luhliari, matzew, mbrophy, mdogra, mkudlej, mmakovy, mnovotny, mosmerov, msochure, mstefank, msvehla, mulliken, nipatil, njean, nwallace, omajid, oourfali, owatkins, pahickey, pantinor, parichar, pcattana, pcongius, pdelbell, pdiak, pdrozd, peholase, pierdipi, pmackay, pskopek, rguimara, rhaigner, rhos-maint, rhuss, rjohnson, rkieley, rkubis, rmartinc, rmaucher, rowaters, rstancel, rstepani, sabiswas, saroy, sdawley, security-response-team, sfroberg, shbose, smaestri, sthorger, swoodman, tasato, tcunning, teagle, tjochec, tom.jenkinson, tosorio, wtam, yfang, ymittal |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | httpd 2.4.59 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A vulnerability was found in how Apache httpd implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers, which could use up memory resources to cause a Denial of Service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2268474, 2268475, 2270547, 2273037, 2274836 | ||
| Bug Blocks: | 2268258 | ||
|
Description
Nick Tait
2024-03-06 21:33:06 UTC
CVE-2023-44487 is something different i think you are mixing CVE... Created mod_http2 tracking bugs for this issue: Affects: fedora-all [bug 2273037] This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:1786 https://access.redhat.com/errata/RHSA-2024:1786 Created httpd tracking bugs for this issue: Affects: fedora-all [bug 2274836] This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:1872 https://access.redhat.com/errata/RHSA-2024:1872 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:2564 https://access.redhat.com/errata/RHSA-2024:2564 This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2024:2694 https://access.redhat.com/errata/RHSA-2024:2694 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2024:2693 https://access.redhat.com/errata/RHSA-2024:2693 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:2891 https://access.redhat.com/errata/RHSA-2024:2891 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:2907 https://access.redhat.com/errata/RHSA-2024:2907 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:3417 https://access.redhat.com/errata/RHSA-2024:3417 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:3402 https://access.redhat.com/errata/RHSA-2024:3402 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Via RHSA-2024:4390 https://access.redhat.com/errata/RHSA-2024:4390 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2024:4392 https://access.redhat.com/errata/RHSA-2024:4392 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2024:5145 https://access.redhat.com/errata/RHSA-2024:5145 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2024:5143 https://access.redhat.com/errata/RHSA-2024:5143 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2024:5144 https://access.redhat.com/errata/RHSA-2024:5144 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2024:5147 https://access.redhat.com/errata/RHSA-2024:5147 |