The Huawei EulerOS nghttp2 package prior to version 1.61.0 allows excessive CPU usage, leading to a vulnerability (CVE-2024-28182)
Reporter | Title | Published | Views | Family All 199 |
---|---|---|---|---|
![]() | nghttp2 security update | 14 Jun 202414:00 | – | rocky |
![]() | nodejs:18 security update | 9 May 202418:50 | – | rocky |
![]() | nodejs:18 security update | 9 May 202418:51 | – | rocky |
![]() | [slackware-security] nghttp2 | 4 Apr 202419:17 | – | slackware |
![]() | Important: nghttp2 | 9 May 202417:43 | – | amazon |
![]() | Important: nghttp2 | 24 Apr 202422:15 | – | amazon |
![]() | CVE-2024-28182 affecting package cmake for versions less than 3.21.4-14 | 27 Nov 202421:33 | – | cbl_mariner |
![]() | CVE-2024-28182 affecting package nodejs18 for versions less than 18.20.3-1 | 10 Jul 202419:52 | – | cbl_mariner |
![]() | CVE-2024-28182 affecting package nghttp2 for versions less than 1.57.0-2 | 1 Nov 202416:41 | – | cbl_mariner |
![]() | CVE-2024-28182 affecting package nodejs for versions less than 20.14.0-1 | 21 Jun 202409:32 | – | cbl_mariner |
Source | Link |
---|---|
developer | www.developer.huaweicloud.com/intl/en-us/euleros/securitydetail.html |
# SPDX-FileCopyrightText: 2024 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.1.2.2024.2312");
script_cve_id("CVE-2024-28182");
script_tag(name:"creation_date", value:"2024-09-03 13:47:15 +0000 (Tue, 03 Sep 2024)");
script_version("2024-09-04T05:16:32+0000");
script_tag(name:"last_modification", value:"2024-09-04 05:16:32 +0000 (Wed, 04 Sep 2024)");
script_tag(name:"cvss_base", value:"5.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_name("Huawei EulerOS: Security Advisory for nghttp2 (EulerOS-SA-2024-2312)");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2024 Greenbone AG");
script_family("Huawei EulerOS Local Security Checks");
script_dependencies("gb_huawei_euleros_consolidation.nasl");
script_mandatory_keys("ssh/login/euleros", "ssh/login/rpms", re:"ssh/login/release=EULEROSVIRT\-2\.12\.1");
script_xref(name:"Advisory-ID", value:"EulerOS-SA-2024-2312");
script_xref(name:"URL", value:"https://developer.huaweicloud.com/intl/en-us/euleros/securitydetail.html?secId=EulerOS-SA-2024-2312");
script_tag(name:"summary", value:"The remote host is missing an update for the Huawei EulerOS 'nghttp2' package(s) announced via the EulerOS-SA-2024-2312 advisory.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable package version is present on the target host.");
script_tag(name:"insight", value:"nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.(CVE-2024-28182)");
script_tag(name:"affected", value:"'nghttp2' package(s) on Huawei EulerOS Virtualization release 2.12.1.");
script_tag(name:"solution", value:"Please install the updated package(s).");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"package");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-rpm.inc");
release = rpm_get_ssh_release();
if(!release)
exit(0);
res = "";
report = "";
if(release == "EULEROSVIRT-2.12.1") {
if(!isnull(res = isrpmvuln(pkg:"libnghttp2", rpm:"libnghttp2~1.46.0~3.h3.eulerosv2r12", rls:"EULEROSVIRT-2.12.1"))) {
report += res;
}
if(report != "") {
security_message(data:report);
} else if(__pkg_match) {
exit(99);
}
exit(0);
}
exit(0);
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo