Bug 33087

Summary:	nghttp2 new security issue CVE-2024-28182 (HTTP/2 CONTINUATION Flood)
Product:	Mageia	Reporter:	Marc Krämer <mageia>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	andrewsfarm, nicolas.salguero, sysadmin-bugs
Version:	9	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	https://nowotarski.info/http2-continuation-flood/
See Also:	https://bugs.mageia.org/show_bug.cgi?id=33060 https://bugs.mageia.org/show_bug.cgi?id=33068 https://bugs.mageia.org/show_bug.cgi?id=32980 https://bugs.mageia.org/show_bug.cgi?id=33055 https://bugs.mageia.org/show_bug.cgi?id=33059
Whiteboard:	MGA9-64-OK MGA9-32-OK
Source RPM:	nghttp2-1.54.0-1.mga9.src.rpm	CVE:	CVE-2024-28182
Status comment:

Description Marc Krämer 2024-04-10 15:46:50 CEST

https://httpd.apache.org/security/vulnerabilities_24.html


https://nowotarski.info/http2-continuation-flood/

Not only apache, also tomcat, golang, nghttp2 are affected.

Apache: https://access.redhat.com/security/cve/cve-2024-27316
Tomcat: https://access.redhat.com/security/cve/cve-2024-24549

Marc Krämer 2024-04-10 15:48:34 CEST

CVE: (none) => CVE-2024-2653,CVE-2024-27316,CVE-2024-24549,CVE-2024-28182,CVE-2023-45288

Marc Krämer 2024-04-10 15:57:52 CEST

Depends on: (none) => 33059

Comment 1 Nicolas Salguero 2024-04-10 16:00:57 CEST

For Apache, the issue was fixed in bug 33059.

For Tomcat, the issue was fixed in bug 32980.

For golang, the issue is described in bug 33068.

For nghttp2, the link above says it affects versions <= 1.29.2 and, for Mageia 9, the version is 1.54.0, so it seems the problem is already fixed.

CC: (none) => nicolas.salguero
Depends on: (none) => 32980, 33068

Comment 2 Nicolas Salguero 2024-04-10 16:10:44 CEST

(In reply to Nicolas Salguero from comment #1)
> For nghttp2, the link above says it affects versions <= 1.29.2 and, for
> Mageia 9, the version is 1.54.0, so it seems the problem is already fixed.

Ooops, I read the wrong line.

Versions of nghttp2 <= 1.60.0 are affected by CVE-2024-28182.

Comment 3 Marc Krämer 2024-04-10 16:16:00 CEST

pushed nghttp2 for mga9 build.

Should we file bugs for each package?

-tomcat
-nghttp2
-golang
-nodejs

Comment 4 Marc Krämer 2024-04-10 16:16:44 CEST

Node.js	2024-01-15	<=18.20.0, <=20.12.0, <=21.7.1	CVE-2024-27983

Comment 5 Nicolas Salguero 2024-04-10 16:17:56 CEST

For completeness:
  - For h2 Rust crate, the issue is described in bug 33060.
  - For nodejs, the issue was fixed in bug 33055.

Depends on: (none) => 33060, 33055

Comment 6 Nicolas Salguero 2024-04-10 16:20:25 CEST

(In reply to Marc Krämer from comment #3)
> Should we file bugs for each package?
> 
> -tomcat
> -nghttp2
> -golang
> -nodejs

Yes, in that case, we created one bug per package.

Comment 7 Nicolas Salguero 2024-04-10 16:21:30 CEST

So this bug can be use to handle nghttp2.

Nicolas Salguero 2024-04-10 16:27:20 CEST

CVE: CVE-2024-2653,CVE-2024-27316,CVE-2024-24549,CVE-2024-28182,CVE-2023-45288 => CVE-2024-28182
Source RPM: apache => nghttp2-1.54.0-1.mga9.src.rpm
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33060

Nicolas Salguero 2024-04-10 16:27:33 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33068

Nicolas Salguero 2024-04-10 16:27:46 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=32980

Nicolas Salguero 2024-04-10 16:27:52 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33055

Nicolas Salguero 2024-04-10 16:28:01 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33059

Nicolas Salguero 2024-04-10 16:28:09 CEST

Depends on: 33060, 33068, 32980, 33055, 33059 => (none)

Nicolas Salguero 2024-04-10 16:30:12 CEST

Summary: Security: http2 continuation flood => nghttp2 new security issue CVE-2024-28182 (HTTP/2 CONTINUATION Flood)

Comment 8 Marc Krämer 2024-04-10 20:48:42 CEST

Updated nghttp2 packages fix security vulnerabilities:

nghttp2 library keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream.
This update fixes the issue.

This is the latest release, which will bring some more fixes and improvements.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-28182
https://nowotarski.info/http2-continuation-flood/
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-x6x3-gv8h-m57q
========================

Updated packages in core/updates_testing:
========================
nghttp2-1.61.0-1.mga9
lib64nghttp2_14-1.61.0-1.mga9
lib64nghttp2-devel-1.61.0-1.mga9
lib64nghttp2_14-debuginfo-1.61.0-1.mga9
nghttp2-debugsource-1.61.0-1.mga9


Source RPMs:
nghttp2-1.61.0-1.mga9.src.rpm

Assignee: bugsquad => qa-bugs

katnatek 2024-04-13 04:12:41 CEST

Keywords: (none) => advisory

Comment 9 katnatek 2024-04-16 03:32:18 CEST

RH maheia 9 x86_64

LC_ALL=C urpmi nghttp2 lib64nghttp2_14 lib64nghttp2-devel 


installing nghttp2-1.61.0-1.mga9.x86_64.rpm lib64nghttp2_14-1.61.0-1.mga9.x86_64.rpm lib64nghttp2-devel-1.61.0-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ##################################################################################################
      1/3: lib64nghttp2_14       ##################################################################################################
      2/3: lib64nghttp2-devel    ##################################################################################################
      3/3: nghttp2               ##################################################################################################
      1/2: removing lib64nghttp2-devel-1.54.0-1.mga9.x86_64
                                 ##################################################################################################
      2/2: removing lib64nghttp2_14-1.54.0-1.mga9.x86_64
                                 ##################################################################################################

Reference https://bugs.mageia.org/show_bug.cgi?id=25424#c3

Something have changed from that, I can't reproduce the test, some missing files

nghttp
-bash: nghttp: orden no encontrada

urpmq -pil nghttp2
Name        : nghttp2
Version     : 1.61.0
Release     : 1.mga9
Group       : System/Libraries
Size        : 43815                        Architecture: x86_64
Source RPM  : nghttp2-1.61.0-1.mga9.src.rpm   Build Host: localhost
Packager    : mokraemer <mokraemer>
URL         : https://nghttp2.org/
Summary     : Experimental HTTP/2 client, server and proxy
Description :
This package contains the HTTP/2 client, server and proxy programs.
/usr/share/man/man1/h2load.1.xz
/usr/share/man/man1/nghttp.1.xz
/usr/share/man/man1/nghttpd.1.xz
/usr/share/man/man1/nghttpx.1.xz
/usr/share/nghttp2
/usr/share/nghttp2/fetch-ocsp-response

Name        : nghttp2
Version     : 1.54.0
Release     : 1.mga9
Group       : System/Libraries
Size        : 43664                        Architecture: x86_64
Source RPM  : nghttp2-1.54.0-1.mga9.src.rpm
URL         : https://nghttp2.org/
Summary     : Experimental HTTP/2 client, server and proxy
Description :
This package contains the HTTP/2 client, server and proxy programs.

/usr/share/man/man1/h2load.1.xz
/usr/share/man/man1/nghttp.1.xz
/usr/share/man/man1/nghttpd.1.xz
/usr/share/man/man1/nghttpx.1.xz
/usr/share/nghttp2
/usr/share/nghttp2/fetch-ocsp-response

So the missing files not exist, neither current package nor testing package

katnatek 2024-04-16 03:32:36 CEST

Keywords: (none) => feedback

Comment 10 katnatek 2024-04-16 03:36:24 CEST

In fedora package https://fedora.pkgs.org/rawhide/fedora-x86_64/nghttp2-1.61.0-1.fc41.x86_64.rpm.html the missing files are listed, so is a packaging issue in mageia

katnatek 2024-04-16 19:57:55 CEST

Keywords: feedback => (none)
CC: (none) => andrewsfarm

Comment 11 katnatek 2024-04-16 19:59:44 CEST

Searching by myself, looks that mageia not have all the required libraries to build the binaries.

So give OK in base a clean install

Whiteboard: (none) => MGA9-64-OK

Comment 12 Thomas Andrews 2024-04-16 20:31:08 CEST

So, we check for what uses the library:

(Removing duplicates)
$ urpmq --whatrequires lib64nghttp2_14
apache-mod_http2
bind
lib64bind9.18.15
lib64curl4
lib64gpac12
lib64nghttp2-devel
lib64nghttp2_14
lib64soup3.0_0
lib64wget1
lib64wireshark16

And, $ urpmq --whatrequires-recursive lib64nghttp2_14 gives a very, very long list. 

We should at least test one or more of them with strace to see if they still work, and that file(s) from the library have been accessed.

Removing the OK, for now.

Whiteboard: MGA9-64-OK => (none)

Comment 13 Thomas Andrews 2024-04-17 00:22:19 CEST

I sent the recursive list of what requires the library to a text file, and a list of what doesn't use it in some fashion would be shorter. So, if the update installs cleanly, and the system shows no ill effects afterward when used for a period of time, that should be enough. Restoring the 64-bit OK.

But, because it is so basic to Mageia operation, before validating we'll need a 32-bit test, as well.

Whiteboard: (none) => MGA9-64-OK

Comment 14 Thomas Andrews 2024-04-17 02:42:43 CEST

On Foolishness, my Dell Inspiron 5100, P4, Radeon RV200 graphics, ath3 wifi, MGA9-32 Xfce4. 

Used qarepo to go after the packages, except for debug, but libnghttp2_14 was the only one that updated. No installation issues. Rebooted, checked for updates again, installed a couple of games to exercise curl and/or wget, no issues to report.

Giving this a 32-bit OK, and validating.

Keywords: (none) => validated_update
Whiteboard: MGA9-64-OK => MGA9-64-OK MGA9-32-OK
CC: (none) => sysadmin-bugs

Comment 15 Mageia Robot 2024-04-17 04:14:40 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0135.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED