Bug 1844929 (CVE-2020-11080) - CVE-2020-11080 nghttp2: overly large SETTINGS frames can lead to DoS
Summary: CVE-2020-11080 nghttp2: overly large SETTINGS frames can lead to DoS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-11080
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1845301 1845303 1845307 1845311 1845314 1845316 1845318 1847481 1847482 1847483 1847484 1847485 1862269 1844930 1844931 1844932 1845298 1845299 1845300 1845302 1845304 1845305 1845306 1845308 1845309 1845310 1845312 1845313 1845315 1845317 1845319
Blocks: 1844928
TreeView+ depends on / blocked
 
Reported: 2020-06-08 04:21 UTC by Mark Cooper
Modified: 2020-08-03 18:32 UTC (History)
22 users (show)

Fixed In Version: nghttp2 1.41.0, node 10.21.0, node 12.18.0, node 14.4.0
Doc Type: If docs needed, set a value
Doc Text:
A resource consumption vulnerability was found in nghttp2. This flaw allows an attacker to repeatedly construct an overly large HTTP/2 SETTINGS frame with a length of 14,400 bytes that causes excessive CPU usage, leading to a denial of service.
Clone Of:
Environment:
Last Closed: 2020-06-11 11:20:27 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2766 None None None 2020-06-30 00:58:54 UTC
Red Hat Product Errata RHBA-2020:2822 None None None 2020-07-06 14:54:18 UTC
Red Hat Product Errata RHBA-2020:2873 None None None 2020-07-08 10:07:56 UTC
Red Hat Product Errata RHBA-2020:2882 None None None 2020-07-08 16:18:26 UTC
Red Hat Product Errata RHBA-2020:2883 None None None 2020-07-09 00:59:54 UTC
Red Hat Product Errata RHBA-2020:2885 None None None 2020-07-09 11:47:30 UTC
Red Hat Product Errata RHBA-2020:2896 None None None 2020-07-13 10:33:53 UTC
Red Hat Product Errata RHBA-2020:2898 None None None 2020-07-13 15:20:58 UTC
Red Hat Product Errata RHBA-2020:2899 None None None 2020-07-13 16:09:53 UTC
Red Hat Product Errata RHBA-2020:2900 None None None 2020-07-13 18:24:53 UTC
Red Hat Product Errata RHBA-2020:2977 None None None 2020-07-16 13:13:26 UTC
Red Hat Product Errata RHBA-2020:3095 None None None 2020-07-22 11:25:46 UTC
Red Hat Product Errata RHBA-2020:3116 None None None 2020-07-23 00:16:31 UTC
Red Hat Product Errata RHBA-2020:3149 None None None 2020-07-27 03:19:52 UTC
Red Hat Product Errata RHBA-2020:3269 None None None 2020-08-03 07:54:39 UTC
Red Hat Product Errata RHBA-2020:3287 None None None 2020-08-03 17:15:50 UTC
Red Hat Product Errata RHBA-2020:3293 None None None 2020-08-03 18:32:46 UTC
Red Hat Product Errata RHSA-2020:2523 None None None 2020-06-11 06:48:35 UTC
Red Hat Product Errata RHSA-2020:2524 None None None 2020-06-11 07:03:13 UTC
Red Hat Product Errata RHSA-2020:2644 None None None 2020-06-22 12:27:04 UTC
Red Hat Product Errata RHSA-2020:2646 None None None 2020-06-22 13:08:58 UTC
Red Hat Product Errata RHSA-2020:2755 None None None 2020-06-25 16:55:38 UTC
Red Hat Product Errata RHSA-2020:2784 None None None 2020-07-01 12:36:40 UTC
Red Hat Product Errata RHSA-2020:2823 None None None 2020-07-06 20:33:26 UTC
Red Hat Product Errata RHSA-2020:2847 None None None 2020-07-07 09:12:09 UTC
Red Hat Product Errata RHSA-2020:2848 None None None 2020-07-07 09:23:12 UTC
Red Hat Product Errata RHSA-2020:2849 None None None 2020-07-07 09:15:02 UTC
Red Hat Product Errata RHSA-2020:2850 None None None 2020-07-07 09:01:27 UTC
Red Hat Product Errata RHSA-2020:2852 None None None 2020-07-07 09:39:41 UTC
Red Hat Product Errata RHSA-2020:2895 None None None 2020-07-13 10:48:14 UTC
Red Hat Product Errata RHSA-2020:3042 None None None 2020-07-21 14:32:59 UTC
Red Hat Product Errata RHSA-2020:3084 None None None 2020-07-21 19:29:02 UTC

Description Mark Cooper 2020-06-08 04:21:43 UTC
In nghttp2 before version 1.41.0, if an overly large HTTP/2 SETTINGS frame with a length of 14,400 bytes is repeatedly constructed it can cause the CPU to spike to 100% and cause a DoS.

Comment 1 Mark Cooper 2020-06-08 04:21:47 UTC
External References:

https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr

Comment 2 Mark Cooper 2020-06-08 04:22:23 UTC
Created nghttp2 tracking bugs for this issue:

Affects: epel-7 [bug 1844931]
Affects: epel-8 [bug 1844932]
Affects: fedora-all [bug 1844930]

Comment 5 Mark Cooper 2020-06-08 04:40:19 UTC
Acknowledgments:

Name: the Envoy security team

Comment 8 Kamil Dudka 2020-06-08 09:48:53 UTC
(In reply to Mark Cooper from comment #2)
> Created nghttp2 tracking bugs for this issue:
> 
> Affects: epel-7 [bug 1844931]
> Affects: epel-8 [bug 1844932]

nghttp2 is not in epel-8.  Please consider creating a rhel-8 tracking bug instead.

Comment 14 Mark Cooper 2020-06-08 23:47:23 UTC
In reply to comment #8:
> (In reply to Mark Cooper from comment #2)
> > Created nghttp2 tracking bugs for this issue:
> > 
> > Affects: epel-7 [bug 1844931]
> > Affects: epel-8 [bug 1844932]
> 
> nghttp2 is not in epel-8.  Please consider creating a rhel-8 tracking bug
> instead.

I believe @mbenatto has this done this. Thanks

Comment 19 errata-xmlrpc 2020-06-11 06:48:32 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.1

Via RHSA-2020:2523 https://access.redhat.com/errata/RHSA-2020:2523

Comment 20 errata-xmlrpc 2020-06-11 07:03:10 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 1.0

Via RHSA-2020:2524 https://access.redhat.com/errata/RHSA-2020:2524

Comment 21 Product Security DevOps Team 2020-06-11 11:20:27 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-11080

Comment 22 Laurie Morse 2020-06-15 18:14:59 UTC
What is the ETA for this fix with RHEL 8 and NodeJS 12?  We have a release deadline for July and this CVE is needed.

Comment 25 Jean-frederic Clere 2020-06-16 07:15:39 UTC
See https://issues.redhat.com/browse/JBCS-976 too

Comment 28 Cedric Buissart 2020-06-16 13:35:16 UTC
Created nodejs:10/nghttp2 tracking bugs for this issue:

Affects: fedora-all [bug 1847481]


Created nodejs:11/nghttp2 tracking bugs for this issue:

Affects: fedora-all [bug 1847482]


Created nodejs:12/nghttp2 tracking bugs for this issue:

Affects: fedora-all [bug 1847483]


Created nodejs:13/nghttp2 tracking bugs for this issue:

Affects: fedora-all [bug 1847484]


Created nodejs:14/nghttp2 tracking bugs for this issue:

Affects: fedora-all [bug 1847485]

Comment 32 errata-xmlrpc 2020-06-22 12:26:58 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6
  JBoss Core Services on RHEL 7

Via RHSA-2020:2644 https://access.redhat.com/errata/RHSA-2020:2644

Comment 33 errata-xmlrpc 2020-06-22 13:08:55 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2020:2646 https://access.redhat.com/errata/RHSA-2020:2646

Comment 34 errata-xmlrpc 2020-06-25 16:55:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2755 https://access.redhat.com/errata/RHSA-2020:2755

Comment 35 errata-xmlrpc 2020-07-01 12:36:37 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2020:2784 https://access.redhat.com/errata/RHSA-2020:2784

Comment 37 errata-xmlrpc 2020-07-06 20:33:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2823 https://access.redhat.com/errata/RHSA-2020:2823

Comment 38 errata-xmlrpc 2020-07-07 09:01:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:2850 https://access.redhat.com/errata/RHSA-2020:2850

Comment 39 errata-xmlrpc 2020-07-07 09:12:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2847 https://access.redhat.com/errata/RHSA-2020:2847

Comment 40 errata-xmlrpc 2020-07-07 09:14:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:2849 https://access.redhat.com/errata/RHSA-2020:2849

Comment 41 errata-xmlrpc 2020-07-07 09:23:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2848 https://access.redhat.com/errata/RHSA-2020:2848

Comment 42 errata-xmlrpc 2020-07-07 09:39:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:2852 https://access.redhat.com/errata/RHSA-2020:2852

Comment 43 errata-xmlrpc 2020-07-13 10:48:07 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:2895 https://access.redhat.com/errata/RHSA-2020:2895

Comment 44 Chuck Svoboda 2020-07-20 16:59:42 UTC
How is this closed when nodejs:14/nodejs is not showed as patched?

Comment 46 errata-xmlrpc 2020-07-21 14:32:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3042 https://access.redhat.com/errata/RHSA-2020:3042

Comment 47 Chuck Svoboda 2020-07-21 15:09:04 UTC
I'm not tracking. The errata link posted is for node10.  The https://access.redhat.com/security/cve/CVE-2020-11080 page still shows both node10 and node14 affected with no fix.

Comment 48 errata-xmlrpc 2020-07-21 19:28:59 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:3084 https://access.redhat.com/errata/RHSA-2020:3084


Note You need to log in before you can comment on or make changes to this bug.