Bug 2268639 (CVE-2024-28182, VU#421644.5)

Summary: CVE-2024-28182 nghttp2: CONTINUATION frames DoS
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: csutherl, hhorak, jamacku, jclere, jorton, jstanek, luhliari, nodejs-maint, pjindal, plodge, security-response-team, szappis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nghttp2 1.61.0 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in how nghttp2 implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers, which could use up compute or memory resources to cause a Denial of Service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2273035, 2273392, 2273393, 2269269, 2270549, 2273034, 2273036, 2273038, 2273388, 2273389, 2273390, 2273391, 2278672    
Bug Blocks: 2268258    

Description Nick Tait 2024-03-08 23:32:34 UTC 
This description was provided in the disclosure from VINCE:

An implementation using the nghttp2 library will continue to receive CONTINUATION frames, and will not callback to the application to allow visibility into this information before it resets the stream, resulting in a DoS.
Comment 16 Nick Tait 2024-04-03 19:12:59 UTC 
Created nghttp2 tracking bugs for this issue:

Affects: fedora-all [bug 2273036]


Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2273035]


Created nodejs:13/nghttp2 tracking bugs for this issue:

Affects: epel-all [bug 2273034]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2273038]
Comment 18 Nick Tait 2024-04-04 15:04:38 UTC 
Created nghttp2 tracking bugs for this issue:

Affects: epel-all [bug 2273388]


Created nodejs16 tracking bugs for this issue:

Affects: fedora-all [bug 2273389]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-all [bug 2273390]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-all [bug 2273391]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2273392]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2273393]
Comment 26 Fedora Update System 2024-04-19 21:29:13 UTC 
FEDORA-2024-da8cdd8414 (nghttp2-1.59.0-3.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 27 Fedora Update System 2024-04-20 01:02:44 UTC 
FEDORA-2024-a00de83de9 (nghttp2-1.55.1-5.fc39) has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 34 errata-xmlrpc 2024-05-07 15:44:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2024:2694 https://access.redhat.com/errata/RHSA-2024:2694
Comment 35 errata-xmlrpc 2024-05-07 15:47:34 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2024:2693 https://access.redhat.com/errata/RHSA-2024:2693
Comment 36 errata-xmlrpc 2024-05-09 06:18:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2779 https://access.redhat.com/errata/RHSA-2024:2779
Comment 37 errata-xmlrpc 2024-05-09 06:20:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2778 https://access.redhat.com/errata/RHSA-2024:2778
Comment 38 errata-xmlrpc 2024-05-09 06:21:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2780 https://access.redhat.com/errata/RHSA-2024:2780
Comment 39 errata-xmlrpc 2024-05-15 11:28:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2853 https://access.redhat.com/errata/RHSA-2024:2853
Comment 40 errata-xmlrpc 2024-05-20 02:06:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2910 https://access.redhat.com/errata/RHSA-2024:2910
Comment 42 errata-xmlrpc 2024-05-21 05:12:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:2937 https://access.redhat.com/errata/RHSA-2024:2937
Comment 43 errata-xmlrpc 2024-05-30 12:58:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3501 https://access.redhat.com/errata/RHSA-2024:3501
Comment 44 errata-xmlrpc 2024-06-03 07:02:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:3544 https://access.redhat.com/errata/RHSA-2024:3544
Comment 45 errata-xmlrpc 2024-06-06 08:25:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:3665 https://access.redhat.com/errata/RHSA-2024:3665
Comment 46 errata-xmlrpc 2024-06-06 14:19:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:3701 https://access.redhat.com/errata/RHSA-2024:3701
Comment 47 errata-xmlrpc 2024-06-10 14:44:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:3763 https://access.redhat.com/errata/RHSA-2024:3763
Comment 48 errata-xmlrpc 2024-06-12 22:30:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:3875 https://access.redhat.com/errata/RHSA-2024:3875
Comment 49 errata-xmlrpc 2024-07-02 15:25:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4252 https://access.redhat.com/errata/RHSA-2024:4252
Comment 50 errata-xmlrpc 2024-07-16 15:36:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2024:4576 https://access.redhat.com/errata/RHSA-2024:4576
Comment 51 errata-xmlrpc 2024-07-23 08:35:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:4721 https://access.redhat.com/errata/RHSA-2024:4721
Comment 52 errata-xmlrpc 2024-07-23 14:54:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:4732 https://access.redhat.com/errata/RHSA-2024:4732
Comment 53 errata-xmlrpc 2024-07-24 13:06:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:4824 https://access.redhat.com/errata/RHSA-2024:4824