Описание
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
A vulnerability was found in how Node.js implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated, remote attacker to send packets to vulnerable servers, which could use up compute or memory resources, causing a denial of service.
Отчет
Red Hat rates the security impact of this vulnerability as Important due to the worst-case scenario resulting in a denial of service, in alignment with the upstream Node.js project. It is simple to exploit, could significantly impact availability, and there is no reasonable mitigation. Once an attack has ended, the system should return to normal operations on its own.
Меры по смягчению последствий
Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 8 | nodejs:16/nodejs | Affected | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2024:2778 | 09.05.2024 |
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2024:2780 | 09.05.2024 |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | nodejs | Fixed | RHSA-2024:3553 | 03.06.2024 |
| Red Hat Enterprise Linux 8.6 Telecommunications Update Service | nodejs | Fixed | RHSA-2024:3553 | 03.06.2024 |
| Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions | nodejs | Fixed | RHSA-2024:3553 | 03.06.2024 |
| Red Hat Enterprise Linux 8.8 Extended Update Support | nodejs | Fixed | RHSA-2024:4353 | 08.07.2024 |
| Red Hat Enterprise Linux 8.8 Extended Update Support | nodejs | Fixed | RHSA-2024:4824 | 24.07.2024 |
| Red Hat Enterprise Linux 9 | nodejs | Fixed | RHSA-2024:2779 | 09.05.2024 |
| Red Hat Enterprise Linux 9 | nodejs | Fixed | RHSA-2024:2853 | 15.05.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
An attacker can make the Node.js HTTP/2 server completely unavailable ...
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
EPSS
7.5 High
CVSS3