2274149 – Fedora ALL STABLE: unpatched CVE-2024-27316(HTTP/2 Header DOS),CVE-2023-38709(Response Split)

Bug 2274149 - Fedora ALL STABLE: unpatched CVE-2024-27316(HTTP/2 Header DOS),CVE-2023-38709(Response Split)

Summary: Fedora ALL STABLE: unpatched CVE-2024-27316(HTTP/2 Header DOS),CVE-2023-38709...

Keywords:
Status:	CLOSED DUPLICATE of bug 2273037
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	httpd
Sub Component:
Version:	39
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Luboš Uhliarik
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2024-04-09 12:25 UTC by customercare
Modified:	2024-04-17 15:52 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-04-17 15:52:50 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description customercare 2024-04-09 12:25:14 UTC

Information about CVE-2024-27316 => DOS of Server

https://thehackernews.com/2024/04/new-http2-vulnerability-exposes-web.html

Problem:

httpd package for stable Fedora's is missing 3 moderate rated CVEs. Version is available for F41, but not for F38/39/40 .

Even if Apache rates these issues as "moderadte",DOS attacks are not so moderate if your webserver gets DOSed in the realworld. So pls fix it.

suggested WORKAROUND: disable HTTP/2 Protocol

Apache Info:

Fixed in Apache HTTP Server 2.4.59

moderate: Apache HTTP Server: HTTP response splitting (CVE-2023-38709)

Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses.

This issue affects Apache HTTP Server: through 2.4.58.

Acknowledgements: finder: Orange Tsai (@orange_8361) from DEVCORE
Reported to security team 2023-06-26
Update 2.4.59 released 2024-04-04
Affects <=2.4.58

low: Apache HTTP Server: HTTP Response Splitting in multiple modules (CVE-2024-24795)

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack.

Users are recommended to upgrade to version 2.4.59, which fixes this issue.

Acknowledgements:

finder: Keran Mu, Tsinghua University and Zhongguancun Laboratory.
finder: Jianjun Chen, Tsinghua University and Zhongguancun Laboratory.

Reported to security team 2023-09-06
Update 2.4.59 released 2024-04-04
Affects <=2.4.58
moderate: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames (CVE-2024-27316)

HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.

Acknowledgements: finder: Bartek Nowotarski (https://nowotarski.info/)
Reported to security team 2024-02-22
Update 2.4.59 released 2024-04-04
Affects <=2.4.58

Reproducible: Always

Actual Results:
DOS/OOM

Expected Results:
no OOM/no DOS

Comment 1 Joe Orton 2024-04-17 15:52:50 UTC

This is an issue in mod_http2, not httpd.

*** This bug has been marked as a duplicate of bug 2273037 ***

Note You need to log in before you can comment on or make changes to this bug.