Bug 2272764 (CVE-2024-27983)

Summary: CVE-2024-27983 nodejs: CONTINUATION frames DoS
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: caswilli, dkuc, fjansen, hhorak, hkataria, jorton, jstanek, kaycoth, kshier, nodejs-maint, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in how Node.js implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated, remote attacker to send packets to vulnerable servers, which could use up compute or memory resources, causing a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2273043, 2273044, 2275569, 2278047, 2278048, 2273045    
Bug Blocks: 2268258    

Description Nick Tait 2024-04-02 21:49:25 UTC 
At a minimum, the following versions of Node.js are affected 18, 20, and 21.

Description: An attacker can make the Node.js HTTP/2 server unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
Comment 4 Nick Tait 2024-04-03 19:19:00 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2273043]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-all [bug 2273044]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-all [bug 2273045]
Comment 12 Nick Tait 2024-04-30 22:07:19 UTC 
Created nodejs16 tracking bugs for this issue:

Affects: fedora-all [bug 2278048]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2278047]
Comment 15 errata-xmlrpc 2024-05-09 06:18:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2779 https://access.redhat.com/errata/RHSA-2024:2779
Comment 16 errata-xmlrpc 2024-05-09 06:20:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2778 https://access.redhat.com/errata/RHSA-2024:2778
Comment 17 errata-xmlrpc 2024-05-09 06:21:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2780 https://access.redhat.com/errata/RHSA-2024:2780
Comment 18 errata-xmlrpc 2024-05-15 11:28:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2853 https://access.redhat.com/errata/RHSA-2024:2853