Bug 1088639 - (CVE-2018-1000168) VUL-0: CVE-2018-1000168: nghttp2: ALTSVC frame client side DoS
(CVE-2018-1000168)
VUL-0: CVE-2018-1000168: nghttp2: ALTSVC frame client side DoS
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3:SUSE:CVE-2018-1000168:5.9:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-09 10:03 UTC by Johannes Segitz
Modified: 2021-03-24 19:00 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Upstream patch (1.99 KB, patch)
2018-04-09 15:07 UTC, Johannes Segitz
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2018-04-09 10:03:46 UTC
From: Tatsuhiro Tsujikawa via distros

nghttp2 is a C library which implements HTTP/2.  The denial of service vulnerability was reported, and I, as a maintainer of the project, confirmed it.

The detailed description of vulnerability is attached below.

The planned release date of fix and disclosure is April, 12.

"""
### Vulnerability
If ALTSVC frame is received by libnghttp2 and it is larger than it can
accept, the pointer field which points to ALTSVC frame payload is left
NULL.  Later libnghttp2 attempts to access another field through the
pointer, and gets segmentation fault.
ALTSVC frame is defined by RFC 7838.
The largest frame size libnghttp2 accept is by default 16384 bytes.
Receiving ALTSVC frame is disabled by default.  Application has to
enable it explicitly by calling
`nghttp2_option_set_builtin_recv_extension_type(opt,
NGHTTP2_ALTSVC)`.
Transmission of ALTSVC is always enabled, and it does not cause this
vulnerability.
ALTSVC frame is expected to be sent by server, and received by client
as defined in RFC 7838.
Client and server are both affected by this vulnerability if the
reception of ALTSVC frame is enabled.  As written earlier, it is
useless to enable reception of ALTSVC frame on server side.  So,
server is generally safe unless application accidentally enabled the
reception of ALTSVC frame.

### Affected Versions
* Affected versions: nghttp2 >= 1.10.0 and nghttp2 <= v1.31.0
* Not affected versions: nghttp2 >= 1.31.1

### The Solution
Upgrade to nghttp2 v1.31.1.
If the upgrade cannot be possible:
For client, disable ALTSVC, removing the call to
`nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)`
For server, because it is never expected to receive ALTSVC, just
remove `nghttp2_option_set_builtin_recv_extension_type(opt,
NGHTTP2_ALTSVC)`.
Comment 1 Johannes Segitz 2018-04-09 10:04:16 UTC
Factory and SLE 15 affected. 

CRD: 2018-04-12
Comment 3 Tomáš Chvátal 2018-04-09 10:23:32 UTC
(In reply to Johannes Segitz from comment #1)
> Factory and SLE 15 affected. 
> 
> CRD: 2018-04-12

Since both are not protected by US I will do the update on 2018-04-12 after I eat lunch :)
Comment 4 Johannes Segitz 2018-04-09 15:07:18 UTC
Created attachment 766479 [details]
Upstream patch
Comment 5 Johannes Segitz 2018-04-13 07:08:46 UTC
public
Comment 6 Tomáš Chvátal 2018-04-13 08:45:39 UTC
Factory and SLE-15 submissions sent.
Comment 8 Swamp Workflow Management 2018-04-13 09:20:09 UTC
This is an autogenerated message for OBS integration:
This bug (1088639) was mentioned in
https://build.opensuse.org/request/show/596227 Factory / nghttp2
Comment 9 Marcus Meissner 2018-11-09 08:00:37 UTC
done
Comment 13 Swamp Workflow Management 2021-03-24 14:23:25 UTC
SUSE-SU-2021:0932-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1082318,1088639,1112438,1125689,1134616,1146182,1146184,1181358,962914,964140,966514
CVE References: CVE-2016-1544,CVE-2018-1000168,CVE-2019-9511,CVE-2019-9513,CVE-2020-11080
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    nghttp2-1.39.2-3.5.1
SUSE OpenStack Cloud Crowbar 8 (src):    nghttp2-1.39.2-3.5.1
SUSE OpenStack Cloud 9 (src):    nghttp2-1.39.2-3.5.1
SUSE OpenStack Cloud 8 (src):    nghttp2-1.39.2-3.5.1
SUSE OpenStack Cloud 7 (src):    nghttp2-1.39.2-3.5.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    nghttp2-1.39.2-3.5.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    nghttp2-1.39.2-3.5.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    nghttp2-1.39.2-3.5.1
SUSE Linux Enterprise Server 12-SP5 (src):    nghttp2-1.39.2-3.5.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    nghttp2-1.39.2-3.5.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    nghttp2-1.39.2-3.5.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    nghttp2-1.39.2-3.5.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    nghttp2-1.39.2-3.5.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    nghttp2-1.39.2-3.5.1
HPE Helion Openstack 8 (src):    nghttp2-1.39.2-3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.