Bug 2268639 (CVE-2024-28182, VU#421644.5) - CVE-2024-28182 nghttp2: CONTINUATION frames DoS
Summary: CVE-2024-28182 nghttp2: CONTINUATION frames DoS
Keywords:
Status: NEW
Alias: CVE-2024-28182, VU#421644.5
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2273035 2273038 2273389 2273390 2273391 2273392 2273393 2269269 2270549 2273034 2273036 2273388 2278672
Blocks: 2268258
TreeView+ depends on / blocked
 
Reported: 2024-03-08 23:32 UTC by Nick Tait
Modified: 2024-05-21 05:12 UTC (History)
13 users (show)

Fixed In Version: nghttp2 1.61.0
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in how nghttp2 implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers, which could use up compute or memory resources to cause a Denial of Service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:2794 0 None None None 2024-05-09 09:29:37 UTC
Red Hat Product Errata RHBA-2024:2795 0 None None None 2024-05-09 09:29:46 UTC
Red Hat Product Errata RHBA-2024:2854 0 None None None 2024-05-15 12:44:56 UTC
Red Hat Product Errata RHBA-2024:2856 0 None None None 2024-05-15 15:42:18 UTC
Red Hat Product Errata RHBA-2024:2902 0 None None None 2024-05-20 01:25:41 UTC
Red Hat Product Errata RHBA-2024:2922 0 None None None 2024-05-20 11:56:37 UTC
Red Hat Product Errata RHSA-2024:2693 0 None None None 2024-05-07 15:47:37 UTC
Red Hat Product Errata RHSA-2024:2694 0 None None None 2024-05-07 15:44:57 UTC
Red Hat Product Errata RHSA-2024:2778 0 None None None 2024-05-09 06:20:47 UTC
Red Hat Product Errata RHSA-2024:2779 0 None None None 2024-05-09 06:18:17 UTC
Red Hat Product Errata RHSA-2024:2780 0 None None None 2024-05-09 06:21:31 UTC
Red Hat Product Errata RHSA-2024:2853 0 None None None 2024-05-15 11:28:58 UTC
Red Hat Product Errata RHSA-2024:2910 0 None None None 2024-05-20 02:06:16 UTC
Red Hat Product Errata RHSA-2024:2937 0 None None None 2024-05-21 05:12:03 UTC

Description Nick Tait 2024-03-08 23:32:34 UTC 
This description was provided in the disclosure from VINCE:

An implementation using the nghttp2 library will continue to receive CONTINUATION frames, and will not callback to the application to allow visibility into this information before it resets the stream, resulting in a DoS.
Comment 16 Nick Tait 2024-04-03 19:12:59 UTC 
Created nghttp2 tracking bugs for this issue:

Affects: fedora-all [bug 2273036]


Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2273035]


Created nodejs:13/nghttp2 tracking bugs for this issue:

Affects: epel-all [bug 2273034]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2273038]
Comment 18 Nick Tait 2024-04-04 15:04:38 UTC 
Created nghttp2 tracking bugs for this issue:

Affects: epel-all [bug 2273388]


Created nodejs16 tracking bugs for this issue:

Affects: fedora-all [bug 2273389]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-all [bug 2273390]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-all [bug 2273391]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2273392]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2273393]
Comment 26 Fedora Update System 2024-04-19 21:29:13 UTC 
FEDORA-2024-da8cdd8414 (nghttp2-1.59.0-3.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 27 Fedora Update System 2024-04-20 01:02:44 UTC 
FEDORA-2024-a00de83de9 (nghttp2-1.55.1-5.fc39) has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 34 errata-xmlrpc 2024-05-07 15:44:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2024:2694 https://access.redhat.com/errata/RHSA-2024:2694
Comment 35 errata-xmlrpc 2024-05-07 15:47:34 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services for RHEL 8

Via RHSA-2024:2693 https://access.redhat.com/errata/RHSA-2024:2693
Comment 36 errata-xmlrpc 2024-05-09 06:18:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2779 https://access.redhat.com/errata/RHSA-2024:2779
Comment 37 errata-xmlrpc 2024-05-09 06:20:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2778 https://access.redhat.com/errata/RHSA-2024:2778
Comment 38 errata-xmlrpc 2024-05-09 06:21:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2780 https://access.redhat.com/errata/RHSA-2024:2780
Comment 39 errata-xmlrpc 2024-05-15 11:28:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2853 https://access.redhat.com/errata/RHSA-2024:2853
Comment 40 errata-xmlrpc 2024-05-20 02:06:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2910 https://access.redhat.com/errata/RHSA-2024:2910
Comment 42 errata-xmlrpc 2024-05-21 05:12:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:2937 https://access.redhat.com/errata/RHSA-2024:2937
Note You need to log in before you can comment on or make changes to this bug.