2268639 – (CVE-2024-28182, VU#421644.5) CVE-2024-28182 nghttp2: CONTINUATION frames DoS

Bug 2268639 (CVE-2024-28182, VU#421644.5) - CVE-2024-28182 nghttp2: CONTINUATION frames DoS

Summary: CVE-2024-28182 nghttp2: CONTINUATION frames DoS

Keywords:
Status:	NEW
Alias:	CVE-2024-28182, VU#421644.5
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2273035 2273038 2273389 2273390 2273391 2273392 2273393 2269269 2270549 2273034 2273036 2273388
Blocks:	2268258
TreeView+	depends on / blocked

Reported:	2024-03-08 23:32 UTC by Nick Tait
Modified:	2024-04-30 17:26 UTC (History)
CC List:	13 users (show)
Fixed In Version:	nghttp2 1.61.0
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in how nghttp2 implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers, which could use up compute or memory resources to cause a Denial of Service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Nick Tait 2024-03-08 23:32:34 UTC

This description was provided in the disclosure from VINCE:

An implementation using the nghttp2 library will continue to receive CONTINUATION frames, and will not callback to the application to allow visibility into this information before it resets the stream, resulting in a DoS.

Comment 16 Nick Tait 2024-04-03 19:12:59 UTC

Created nghttp2 tracking bugs for this issue:

Affects: fedora-all [bug 2273036]


Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2273035]


Created nodejs:13/nghttp2 tracking bugs for this issue:

Affects: epel-all [bug 2273034]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2273038]

Comment 18 Nick Tait 2024-04-04 15:04:38 UTC

Created nghttp2 tracking bugs for this issue:

Affects: epel-all [bug 2273388]


Created nodejs16 tracking bugs for this issue:

Affects: fedora-all [bug 2273389]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-all [bug 2273390]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-all [bug 2273391]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2273392]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2273393]

Comment 26 Fedora Update System 2024-04-19 21:29:13 UTC

FEDORA-2024-da8cdd8414 (nghttp2-1.59.0-3.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 27 Fedora Update System 2024-04-20 01:02:44 UTC

FEDORA-2024-a00de83de9 (nghttp2-1.55.1-5.fc39) has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.