Bug 2268639 (CVE-2024-28182, VU#421644.5) - CVE-2024-28182 nghttp2: CONTINUATION frames DoS
Summary: CVE-2024-28182 nghttp2: CONTINUATION frames DoS
Keywords:
Status: NEW
Alias: CVE-2024-28182, VU#421644.5
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2273035 2273392 2273393 2269269 2270549 2273034 2273036 2273038 2273388 2273389 2273390 2273391 2278672
Blocks: 2268258
TreeView+ depends on / blocked
 
Reported: 2024-03-08 23:32 UTC by Nick Tait
Modified: 2025-05-16 08:28 UTC (History)
12 users (show)

Fixed In Version: nghttp2 1.61.0
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:2794 0 None None None 2024-05-09 09:29:37 UTC
Red Hat Product Errata RHBA-2024:2795 0 None None None 2024-05-09 09:29:46 UTC
Red Hat Product Errata RHBA-2024:2854 0 None None None 2024-05-15 12:44:56 UTC
Red Hat Product Errata RHBA-2024:2856 0 None None None 2024-05-15 15:42:18 UTC
Red Hat Product Errata RHBA-2024:2902 0 None None None 2024-05-20 01:25:41 UTC
Red Hat Product Errata RHBA-2024:2922 0 None None None 2024-05-20 11:56:37 UTC
Red Hat Product Errata RHBA-2024:3518 0 None None None 2024-05-30 17:40:48 UTC
Red Hat Product Errata RHBA-2024:3519 0 None None None 2024-05-30 17:55:25 UTC
Red Hat Product Errata RHBA-2024:3535 0 None None None 2024-06-03 01:08:19 UTC
Red Hat Product Errata RHBA-2024:3536 0 None None None 2024-06-03 01:15:12 UTC
Red Hat Product Errata RHBA-2024:3537 0 None None None 2024-06-03 01:12:51 UTC
Red Hat Product Errata RHBA-2024:3538 0 None None None 2024-06-03 01:15:40 UTC
Red Hat Product Errata RHBA-2024:3539 0 None None None 2024-06-03 01:15:18 UTC
Red Hat Product Errata RHBA-2024:3542 0 None None None 2024-06-03 01:30:30 UTC
Red Hat Product Errata RHBA-2024:3638 0 None None None 2024-06-05 15:29:50 UTC
Red Hat Product Errata RHBA-2024:3650 0 None None None 2024-06-05 21:38:38 UTC
Red Hat Product Errata RHBA-2024:3686 0 None None None 2024-06-06 13:16:49 UTC
Red Hat Product Errata RHBA-2024:3687 0 None None None 2024-06-06 13:23:58 UTC
Red Hat Product Errata RHBA-2024:3688 0 None None None 2024-06-06 13:23:44 UTC
Red Hat Product Errata RHBA-2024:3689 0 None None None 2024-06-06 13:24:49 UTC
Red Hat Product Errata RHBA-2024:3690 0 None None None 2024-06-06 13:26:00 UTC
Red Hat Product Errata RHBA-2024:3691 0 None None None 2024-06-06 13:29:43 UTC
Red Hat Product Errata RHBA-2024:3692 0 None None None 2024-06-06 13:28:30 UTC
Red Hat Product Errata RHBA-2024:3693 0 None None None 2024-06-06 13:29:30 UTC
Red Hat Product Errata RHBA-2024:3694 0 None None None 2024-06-06 13:29:49 UTC
Red Hat Product Errata RHBA-2024:3695 0 None None None 2024-06-06 13:33:17 UTC
Red Hat Product Errata RHBA-2024:3771 0 None None None 2024-06-10 14:44:31 UTC
Red Hat Product Errata RHBA-2024:3798 0 None None None 2024-06-11 13:16:41 UTC
Red Hat Product Errata RHBA-2024:4342 0 None None None 2024-07-08 01:05:47 UTC
Red Hat Product Errata RHBA-2024:4348 0 None None None 2024-07-08 01:51:20 UTC
Red Hat Product Errata RHBA-2024:4362 0 None None None 2024-07-08 10:38:12 UTC
Red Hat Product Errata RHBA-2024:4393 0 None None None 2024-07-08 22:49:18 UTC
Red Hat Product Errata RHBA-2024:4423 0 None None None 2024-07-09 11:58:55 UTC
Red Hat Product Errata RHBA-2024:4424 0 None None None 2024-07-09 11:58:47 UTC
Red Hat Product Errata RHBA-2024:4448 0 None None None 2024-07-10 01:50:51 UTC
Red Hat Product Errata RHBA-2024:4449 0 None None None 2024-07-10 01:49:19 UTC
Red Hat Product Errata RHBA-2024:4496 0 None None None 2024-07-11 10:56:39 UTC
Red Hat Product Errata RHBA-2024:4498 0 None None None 2024-07-11 11:26:18 UTC
Red Hat Product Errata RHBA-2024:4518 0 None None None 2024-07-11 17:44:52 UTC
Red Hat Product Errata RHBA-2024:4536 0 None None None 2024-07-15 11:22:37 UTC
Red Hat Product Errata RHBA-2024:4592 0 None None None 2024-07-17 13:49:50 UTC
Red Hat Product Errata RHBA-2024:4594 0 None None None 2024-07-17 16:32:51 UTC
Red Hat Product Errata RHBA-2024:4603 0 None None None 2024-07-17 22:48:42 UTC
Red Hat Product Errata RHBA-2024:4604 0 None None None 2024-07-18 06:38:01 UTC
Red Hat Product Errata RHBA-2024:4628 0 None None None 2024-07-18 14:26:03 UTC
Red Hat Product Errata RHBA-2024:4632 0 None None None 2024-07-18 15:15:55 UTC
Red Hat Product Errata RHBA-2024:4686 0 None None None 2024-07-22 06:19:43 UTC
Red Hat Product Errata RHBA-2024:4687 0 None None None 2024-07-22 06:29:36 UTC
Red Hat Product Errata RHBA-2024:4689 0 None None None 2024-07-22 06:34:54 UTC
Red Hat Product Errata RHBA-2024:4690 0 None None None 2024-07-22 06:35:11 UTC
Red Hat Product Errata RHBA-2024:4693 0 None None None 2024-07-22 07:02:14 UTC
Red Hat Product Errata RHBA-2024:4694 0 None None None 2024-07-22 07:48:38 UTC
Red Hat Product Errata RHBA-2024:4711 0 None None None 2024-07-22 14:40:06 UTC
Red Hat Product Errata RHBA-2024:4714 0 None None None 2024-07-23 06:23:38 UTC
Red Hat Product Errata RHSA-2024:2693 0 None None None 2024-05-07 15:47:37 UTC
Red Hat Product Errata RHSA-2024:2694 0 None None None 2024-05-07 15:44:57 UTC
Red Hat Product Errata RHSA-2024:2778 0 None None None 2024-05-09 06:20:47 UTC
Red Hat Product Errata RHSA-2024:2779 0 None None None 2024-05-09 06:18:17 UTC
Red Hat Product Errata RHSA-2024:2780 0 None None None 2024-05-09 06:21:31 UTC
Red Hat Product Errata RHSA-2024:2853 0 None None None 2024-05-15 11:28:58 UTC
Red Hat Product Errata RHSA-2024:2910 0 None None None 2024-05-20 02:06:16 UTC
Red Hat Product Errata RHSA-2024:2937 0 None None None 2024-05-21 05:12:03 UTC
Red Hat Product Errata RHSA-2024:3501 0 None None None 2024-05-30 12:58:51 UTC
Red Hat Product Errata RHSA-2024:3544 0 None None None 2024-06-03 07:02:17 UTC
Red Hat Product Errata RHSA-2024:3665 0 None None None 2024-06-06 08:25:46 UTC
Red Hat Product Errata RHSA-2024:3701 0 None None None 2024-06-06 14:19:03 UTC
Red Hat Product Errata RHSA-2024:3763 0 None None None 2024-06-10 14:44:29 UTC
Red Hat Product Errata RHSA-2024:3875 0 None None None 2024-06-12 22:30:04 UTC
Red Hat Product Errata RHSA-2024:4252 0 None None None 2024-07-02 15:25:11 UTC
Red Hat Product Errata RHSA-2024:4576 0 None None None 2024-07-16 15:36:25 UTC
Red Hat Product Errata RHSA-2024:4721 0 None None None 2024-07-23 08:35:13 UTC
Red Hat Product Errata RHSA-2024:4732 0 None None None 2024-07-23 14:54:51 UTC
Red Hat Product Errata RHSA-2024:4824 0 None None None 2024-07-24 13:06:19 UTC

Description Nick Tait 2024-03-08 23:32:34 UTC 
This description was provided in the disclosure from VINCE:

An implementation using the nghttp2 library will continue to receive CONTINUATION frames, and will not callback to the application to allow visibility into this information before it resets the stream, resulting in a DoS.
Comment 16 Nick Tait 2024-04-03 19:12:59 UTC 
Created nghttp2 tracking bugs for this issue:

Affects: fedora-all [bug 2273036]


Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2273035]


Created nodejs:13/nghttp2 tracking bugs for this issue:

Affects: epel-all [bug 2273034]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2273038]
Comment 18 Nick Tait 2024-04-04 15:04:38 UTC 
Created nghttp2 tracking bugs for this issue:

Affects: epel-all [bug 2273388]


Created nodejs16 tracking bugs for this issue:

Affects: fedora-all [bug 2273389]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-all [bug 2273390]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-all [bug 2273391]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2273392]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2273393]
Comment 26 Fedora Update System 2024-04-19 21:29:13 UTC 
FEDORA-2024-da8cdd8414 (nghttp2-1.59.0-3.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 27 Fedora Update System 2024-04-20 01:02:44 UTC 
FEDORA-2024-a00de83de9 (nghttp2-1.55.1-5.fc39) has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 34 errata-xmlrpc 2024-05-07 15:44:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2024:2694 https://access.redhat.com/errata/RHSA-2024:2694
Comment 35 errata-xmlrpc 2024-05-07 15:47:34 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2024:2693 https://access.redhat.com/errata/RHSA-2024:2693
Comment 36 errata-xmlrpc 2024-05-09 06:18:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2779 https://access.redhat.com/errata/RHSA-2024:2779
Comment 37 errata-xmlrpc 2024-05-09 06:20:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2778 https://access.redhat.com/errata/RHSA-2024:2778
Comment 38 errata-xmlrpc 2024-05-09 06:21:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2780 https://access.redhat.com/errata/RHSA-2024:2780
Comment 39 errata-xmlrpc 2024-05-15 11:28:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2853 https://access.redhat.com/errata/RHSA-2024:2853
Comment 40 errata-xmlrpc 2024-05-20 02:06:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2910 https://access.redhat.com/errata/RHSA-2024:2910
Comment 42 errata-xmlrpc 2024-05-21 05:12:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:2937 https://access.redhat.com/errata/RHSA-2024:2937
Comment 43 errata-xmlrpc 2024-05-30 12:58:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3501 https://access.redhat.com/errata/RHSA-2024:3501
Comment 44 errata-xmlrpc 2024-06-03 07:02:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:3544 https://access.redhat.com/errata/RHSA-2024:3544
Comment 45 errata-xmlrpc 2024-06-06 08:25:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:3665 https://access.redhat.com/errata/RHSA-2024:3665
Comment 46 errata-xmlrpc 2024-06-06 14:19:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:3701 https://access.redhat.com/errata/RHSA-2024:3701
Comment 47 errata-xmlrpc 2024-06-10 14:44:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:3763 https://access.redhat.com/errata/RHSA-2024:3763
Comment 48 errata-xmlrpc 2024-06-12 22:30:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:3875 https://access.redhat.com/errata/RHSA-2024:3875
Comment 49 errata-xmlrpc 2024-07-02 15:25:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:4252 https://access.redhat.com/errata/RHSA-2024:4252
Comment 50 errata-xmlrpc 2024-07-16 15:36:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2024:4576 https://access.redhat.com/errata/RHSA-2024:4576
Comment 51 errata-xmlrpc 2024-07-23 08:35:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2024:4721 https://access.redhat.com/errata/RHSA-2024:4721
Comment 52 errata-xmlrpc 2024-07-23 14:54:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:4732 https://access.redhat.com/errata/RHSA-2024:4732
Comment 53 errata-xmlrpc 2024-07-24 13:06:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:4824 https://access.redhat.com/errata/RHSA-2024:4824
Note You need to log in before you can comment on or make changes to this bug.