Bug 1097401 - VUL-0: CVE-2018-1000168: nodejs8: nghttp2: ALTSVC frame client side DoS
Summary: VUL-0: CVE-2018-1000168: nodejs8: nghttp2: ALTSVC frame client side DoS
Status: RESOLVED FIXED
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-13 09:36 UTC by Marcus Meissner
Modified: 2020-07-02 13:05 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-06-13 09:36:27 UTC
nodejs8 embeds nghttp2 (is this necessary?)


+++ This bug was initially created as a clone of Bug #1088639 +++

From: Tatsuhiro Tsujikawa via distros

nghttp2 is a C library which implements HTTP/2.  The denial of service vulnerability was reported, and I, as a maintainer of the project, confirmed it.

The detailed description of vulnerability is attached below.

The planned release date of fix and disclosure is April, 12.

"""
### Vulnerability
If ALTSVC frame is received by libnghttp2 and it is larger than it can
accept, the pointer field which points to ALTSVC frame payload is left
NULL.  Later libnghttp2 attempts to access another field through the
pointer, and gets segmentation fault.
ALTSVC frame is defined by RFC 7838.
The largest frame size libnghttp2 accept is by default 16384 bytes.
Receiving ALTSVC frame is disabled by default.  Application has to
enable it explicitly by calling
`nghttp2_option_set_builtin_recv_extension_type(opt,
NGHTTP2_ALTSVC)`.
Transmission of ALTSVC is always enabled, and it does not cause this
vulnerability.
ALTSVC frame is expected to be sent by server, and received by client
as defined in RFC 7838.
Client and server are both affected by this vulnerability if the
reception of ALTSVC frame is enabled.  As written earlier, it is
useless to enable reception of ALTSVC frame on server side.  So,
server is generally safe unless application accidentally enabled the
reception of ALTSVC frame.

### Affected Versions
* Affected versions: nghttp2 >= 1.10.0 and nghttp2 <= v1.31.0
* Not affected versions: nghttp2 >= 1.31.1

### The Solution
Upgrade to nghttp2 v1.31.1.
If the upgrade cannot be possible:
For client, disable ALTSVC, removing the call to
`nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)`
For server, because it is never expected to receive ALTSVC, just
remove `nghttp2_option_set_builtin_recv_extension_type(opt,
NGHTTP2_ALTSVC)`.
Comment 1 Adam Majer 2018-06-14 08:39:36 UTC
(In reply to Marcus Meissner from comment #0)
> nodejs8 embeds nghttp2 (is this necessary?)

I'll removed this bundling for SLE-15 in the security update, which means that this bug should now be fixed in the nghttp2 library only.
Comment 4 Swamp Workflow Management 2018-06-15 13:40:09 UTC
This is an autogenerated message for OBS integration:
This bug (1097401) was mentioned in
https://build.opensuse.org/request/show/617096 Factory / nodejs8
Comment 5 Swamp Workflow Management 2018-07-09 13:09:51 UTC
SUSE-SU-2018:1918-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1091764,1097375,1097401,1097404
CVE References: CVE-2018-1000168,CVE-2018-7161,CVE-2018-7167
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15 (src):    nodejs8-8.11.3-3.5.1
Comment 6 Swamp Workflow Management 2018-07-14 01:12:15 UTC
openSUSE-SU-2018:1963-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1091764,1097375,1097401,1097404
CVE References: CVE-2018-1000168,CVE-2018-7161,CVE-2018-7167
Sources used:
openSUSE Leap 15.0 (src):    nodejs8-8.11.3-lp150.2.3.1
Comment 11 Swamp Workflow Management 2018-09-20 13:11:24 UTC
This is an autogenerated message for OBS integration:
This bug (1097401) was mentioned in
https://build.opensuse.org/request/show/636889 42.3+Backports:SLE-12 / nodejs8
Comment 12 Swamp Workflow Management 2018-10-17 10:41:31 UTC
This is an autogenerated message for OBS integration:
This bug (1097401) was mentioned in
https://build.opensuse.org/request/show/642571 42.3+Backports:SLE-12 / nodejs8
Comment 13 Swamp Workflow Management 2018-10-19 12:40:45 UTC
This is an autogenerated message for OBS integration:
This bug (1097401) was mentioned in
https://build.opensuse.org/request/show/643179 42.3 / nodejs10
Comment 14 Swamp Workflow Management 2018-11-16 14:01:44 UTC
This is an autogenerated message for OBS integration:
This bug (1097401) was mentioned in
https://build.opensuse.org/request/show/649577 Backports:SLE-12-SP2 / nodejs8
Comment 18 Swamp Workflow Management 2019-12-11 20:25:17 UTC
SUSE-SU-2019:14246-1: An update that fixes 118 vulnerabilities is now available.

Category: security (important)
Bug References: 1000036,1001652,1025108,1029377,1029902,1040164,104105,1042670,1043008,1044946,1047925,1047936,1048299,1049186,1050653,1056058,1058013,1066242,1066953,1070738,1070853,1072320,1072322,1073796,1073798,1073799,1073803,1073808,1073818,1073823,1073829,1073830,1073832,1073846,1074235,1077230,1079761,1081750,1082318,1087453,1087459,1087463,1088573,1091764,1094814,1097158,1097375,1097401,1097404,1097748,1104841,1105019,1107030,1109465,1117473,1117626,1117627,1117629,1117630,1120644,1122191,1123482,1124525,1127532,1129346,1130694,1130840,1133452,1133810,1134209,1138459,1140290,1140868,1141853,1144919,1145665,1146090,1146091,1146093,1146094,1146095,1146097,1146099,1146100,1149323,1153423,1154738,1447070,1447409,744625,744629,845955,865853,905528,917607,935856,937414,947747,948045,948602,955142,957814,957815,961254,962297,966076,966077,985201,986541,991344,998743
CVE References: CVE-2013-2882,CVE-2013-6639,CVE-2013-6640,CVE-2013-6668,CVE-2014-0224,CVE-2015-3193,CVE-2015-3194,CVE-2015-5380,CVE-2015-7384,CVE-2016-2086,CVE-2016-2178,CVE-2016-2183,CVE-2016-2216,CVE-2016-5172,CVE-2016-5325,CVE-2016-6304,CVE-2016-6306,CVE-2016-7052,CVE-2016-7099,CVE-2017-1000381,CVE-2017-10686,CVE-2017-11111,CVE-2017-11499,CVE-2017-14228,CVE-2017-14849,CVE-2017-14919,CVE-2017-15896,CVE-2017-15897,CVE-2017-17810,CVE-2017-17811,CVE-2017-17812,CVE-2017-17813,CVE-2017-17814,CVE-2017-17815,CVE-2017-17816,CVE-2017-17817,CVE-2017-17818,CVE-2017-17819,CVE-2017-17820,CVE-2017-18207,CVE-2017-3735,CVE-2017-3736,CVE-2017-3738,CVE-2018-0732,CVE-2018-1000168,CVE-2018-12115,CVE-2018-12116,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-20406,CVE-2018-20852,CVE-2018-7158,CVE-2018-7159,CVE-2018-7160,CVE-2018-7161,CVE-2018-7167,CVE-2019-10160,CVE-2019-11709,CVE-2019-11710,CVE-2019-11711,CVE-2019-11712,CVE-2019-11713,CVE-2019-11714,CVE-2019-11715,CVE-2019-11716,CVE-2019-11717,CVE-2019-11718,CVE-2019-11719,CVE-2019-11720,CVE-2019-11721,CVE-2019-11723,CVE-2019-11724,CVE-2019-11725,CVE-2019-11727,CVE-2019-11728,CVE-2019-11729,CVE-2019-11730,CVE-2019-11733,CVE-2019-11735,CVE-2019-11736,CVE-2019-11738,CVE-2019-11740,CVE-2019-11742,CVE-2019-11743,CVE-2019-11744,CVE-2019-11746,CVE-2019-11747,CVE-2019-11748,CVE-2019-11749,CVE-2019-11750,CVE-2019-11751,CVE-2019-11752,CVE-2019-11753,CVE-2019-11757,CVE-2019-11758,CVE-2019-11759,CVE-2019-11760,CVE-2019-11761,CVE-2019-11762,CVE-2019-11763,CVE-2019-11764,CVE-2019-13173,CVE-2019-15903,CVE-2019-5010,CVE-2019-5737,CVE-2019-9511,CVE-2019-9512,CVE-2019-9513,CVE-2019-9514,CVE-2019-9515,CVE-2019-9516,CVE-2019-9517,CVE-2019-9518,CVE-2019-9636,CVE-2019-9811,CVE-2019-9812,CVE-2019-9947
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    MozillaFirefox-68.2.0-78.51.4, MozillaFirefox-branding-SLED-68-21.9.8, firefox-atk-2.26.1-2.8.4, firefox-cairo-1.15.10-2.13.4, firefox-gcc5-5.3.1+r233831-14.1, firefox-gcc8-8.2.1+r264010-2.5.1, firefox-gdk-pixbuf-2.36.11-2.8.4, firefox-glib2-2.54.3-2.14.7, firefox-gtk3-3.10.9-2.15.3, firefox-harfbuzz-1.7.5-2.7.4, firefox-libffi-3.2.1.git259-2.3.3, firefox-libffi-gcc5-5.3.1+r233831-14.1, firefox-pango-1.40.14-2.7.4, mozilla-nspr-4.21-29.6.1, mozilla-nss-3.45-38.9.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.