Lucene search

K
amazonAmazonALAS2-2023-2312
HistoryOct 16, 2023 - 1:45 p.m.

Important: nghttp2

2023-10-1613:45:00
alas.aws.amazon.com
67
nghttp2
denial of service
http/2 protocol
cve-2023-44487
amazon linux 2
update
security advisory
red hat
mitre

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.5

Confidence

High

EPSS

0.708

Percentile

98.1%

Issue Overview:

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-44487)

Affected Packages:

nghttp2

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update nghttp2 to update your system.

New Packages:

aarch64:  
    nghttp2-1.41.0-1.amzn2.0.4.aarch64  
    libnghttp2-1.41.0-1.amzn2.0.4.aarch64  
    libnghttp2-devel-1.41.0-1.amzn2.0.4.aarch64  
    nghttp2-debuginfo-1.41.0-1.amzn2.0.4.aarch64  
  
i686:  
    nghttp2-1.41.0-1.amzn2.0.4.i686  
    libnghttp2-1.41.0-1.amzn2.0.4.i686  
    libnghttp2-devel-1.41.0-1.amzn2.0.4.i686  
    nghttp2-debuginfo-1.41.0-1.amzn2.0.4.i686  
  
src:  
    nghttp2-1.41.0-1.amzn2.0.4.src  
  
x86_64:  
    nghttp2-1.41.0-1.amzn2.0.4.x86_64  
    libnghttp2-1.41.0-1.amzn2.0.4.x86_64  
    libnghttp2-devel-1.41.0-1.amzn2.0.4.x86_64  
    nghttp2-debuginfo-1.41.0-1.amzn2.0.4.x86_64  

Additional References

Red Hat: CVE-2023-44487

Mitre: CVE-2023-44487

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.5

Confidence

High

EPSS

0.708

Percentile

98.1%