Bug 2274149

Summary: Fedora ALL STABLE: unpatched CVE-2024-27316(HTTP/2 Header DOS),CVE-2023-38709(Response Split)
Product: [Fedora] Fedora Reporter: customercare
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 39CC: anon.amish, jorton, luhliari, mturk
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2024-27316
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-04-17 15:52:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description customercare 2024-04-09 12:25:14 UTC 
Information about CVE-2024-27316 => DOS of Server

https://thehackernews.com/2024/04/new-http2-vulnerability-exposes-web.html

Problem:

httpd package for stable Fedora's is missing 3 moderate rated CVEs. Version is available for F41, but not for F38/39/40 . 

Even if Apache rates these issues as "moderadte",DOS attacks are not so moderate if your webserver gets DOSed in the realworld. So pls fix it.


suggested WORKAROUND: disable HTTP/2 Protocol

Apache Info:

Fixed in Apache HTTP Server 2.4.59

moderate: Apache HTTP Server: HTTP response splitting (CVE-2023-38709)

    Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.

    This issue affects Apache HTTP Server: through 2.4.58.

    Acknowledgements: finder: Orange Tsai (@orange_8361) from DEVCORE
    Reported to security team	2023-06-26
    Update 2.4.59 released	2024-04-04
    Affects	<=2.4.58

low: Apache HTTP Server: HTTP Response Splitting in multiple modules (CVE-2024-24795)

    HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.

    Users are recommended to upgrade to version 2.4.59, which fixes this issue.

    Acknowledgements:

        finder: Keran Mu, Tsinghua University and Zhongguancun Laboratory.
        finder: Jianjun Chen, Tsinghua University and Zhongguancun Laboratory.

    Reported to security team	2023-09-06
    Update 2.4.59 released	2024-04-04
    Affects	<=2.4.58
moderate: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames (CVE-2024-27316)

    HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

    Acknowledgements: finder: Bartek Nowotarski (https://nowotarski.info/)
    Reported to security team	2024-02-22
    Update 2.4.59 released	2024-04-04
    Affects	<=2.4.58

Reproducible: Always

Actual Results:  
DOS/OOM

Expected Results:  
no OOM/no DOS
Comment 1 Joe Orton 2024-04-17 15:52:50 UTC 
This is an issue in mod_http2, not httpd.

*** This bug has been marked as a duplicate of bug 2273037 ***