Ubuntu update for nghttp2

1) Resource exhaustion

EUVDB-ID: #VU20196

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-9511

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when processing HTTP/2 requests. A remote attacker can send a specially crafted HTTP/2 request the affected server, consume all available CPU resources and perform a denial of service (DoS) attack.

Successful exploitation of the vulnerability requires that support for HTTP/2 is enabled.

Mitigation

Update the affected package nghttp2 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 23.10

nghttp2-server (Ubuntu package): before Ubuntu Pro

nghttp2-proxy (Ubuntu package): before Ubuntu Pro

nghttp2-client (Ubuntu package): before Ubuntu Pro

nghttp2 (Ubuntu package): before Ubuntu Pro

libnghttp2-14 (Ubuntu package): before Ubuntu Pro

External links

http://ubuntu.com/security/notices/USN-6754-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Resource exhaustion

EUVDB-ID: #VU20197

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-9513

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when processing HTTP/2 requests. A remote attacker can send a specially crafted HTTP/2 request the affected server, consume all available CPU resources and perform a denial of service (DoS) attack.

Successful exploitation of the vulnerability requires that support for HTTP/2 is enabled.

Mitigation

Update the affected package nghttp2 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 23.10

nghttp2-server (Ubuntu package): before Ubuntu Pro

nghttp2-proxy (Ubuntu package): before Ubuntu Pro

nghttp2-client (Ubuntu package): before Ubuntu Pro

nghttp2 (Ubuntu package): before Ubuntu Pro

libnghttp2-14 (Ubuntu package): before Ubuntu Pro

External links

http://ubuntu.com/security/notices/USN-6754-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Resource exhaustion

EUVDB-ID: #VU81728

Risk: High

CVSSv3.1: 5.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H/RL:O/RC:C]

CVE-ID: CVE-2023-44487

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improperly control of consumption for internal resources when handling HTTP/2 requests with compressed HEADERS frames. A remote attacker can send a sequence of compressed HEADERS frames followed by RST_STREAM frames and perform a denial of service (DoS) attack, a.k.a. "Rapid Reset".

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Update the affected package nghttp2 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 23.10

nghttp2-server (Ubuntu package): before Ubuntu Pro

nghttp2-proxy (Ubuntu package): before Ubuntu Pro

nghttp2-client (Ubuntu package): before Ubuntu Pro

nghttp2 (Ubuntu package): before Ubuntu Pro

libnghttp2-14 (Ubuntu package): before Ubuntu Pro

External links

http://ubuntu.com/security/notices/USN-6754-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

4) Input validation error

EUVDB-ID: #VU88144

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-28182

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to reading the unbounded number of HTTP/2 CONTINUATION frames. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Update the affected package nghttp2 to the latest version.

Vulnerable software versions

Ubuntu: 16.04 - 23.10

nghttp2-server (Ubuntu package): before Ubuntu Pro

nghttp2-proxy (Ubuntu package): before Ubuntu Pro

nghttp2-client (Ubuntu package): before Ubuntu Pro

nghttp2 (Ubuntu package): before Ubuntu Pro

libnghttp2-14 (Ubuntu package): before Ubuntu Pro

External links

http://ubuntu.com/security/notices/USN-6754-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.