nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.

An update of the cmake package has been released.

An update of the nodejs package has been released.

The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2786 advisory.

  - nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20     vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service.
    This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in     >= 1.31.1. (CVE-2018-1000168)

  - In nghttp2 before version 1.41.0, the overly large HTTP/2 SETTINGS frame payload causes denial of service.
    The proof of concept attack involves a malicious client constructing a SETTINGS frame with a length of     14,400 bytes (2400 individual settings entries) over and over again. The attack causes the CPU to spike at     100%. nghttp2 v1.41.0 fixes this vulnerability. There is a workaround to this vulnerability. Implement     nghttp2_on_frame_recv_callback callback, and if received frame is SETTINGS frame and the number of     settings entries are large (e.g., > 32), then drop the connection. (CVE-2020-11080)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for nghttp2 fixes the following issues :

Security issues fixed :

CVE-2020-11080: HTTP/2 Large Settings Frame DoS (bsc#1181358).

CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service (bsc#1146184).

CVE-2019-9511: Fixed HTTP/2 implementations that are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service (bsc#1146182).

CVE-2018-1000168: Fixed ALTSVC frame client side denial of service (bsc#1088639).

CVE-2016-1544: Fixed out of memory due to unlimited incoming HTTP header fields (bsc#966514).

Bug fixes and enhancements :

Packages must not mark license files as %doc (bsc#1082318)

Typo in description of libnghttp2_asio1 (bsc#962914)

Fixed mistake in spec file (bsc#1125689)

Fixed build issue with boost 1.70.0 (bsc#1134616)

Fixed build issue with GCC 6 (bsc#964140)

Feature: Add W&S module (FATE#326776, bsc#1112438)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for nodejs8 to version 8.11.3 fixes the following issues :

These security issues were fixed :

  - CVE-2018-7167: Calling Buffer.fill() or Buffer.alloc()     with some parameters could have lead to a hang which     could have resulted in a DoS (bsc#1097375).

  - CVE-2018-7161: By interacting with the http2 server in a     manner that triggered a cleanup bug where objects are     used in native code after they are no longer available     an attacker could have caused a denial of service (DoS)     by causing a node server providing an http2 server to     crash (bsc#1097404).

  - CVE-2018-1000168: Fixed a denial of service     vulnerability by unbundling nghttp2 (bsc#1097401)

This update was imported from the SUSE:SLE-15:Update update project.

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:0367 advisory.

    Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This     software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged     under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent     update experience.

    This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.29 Service Pack 1 serves as an update     to Red Hat JBoss Core Services Apache HTTP Server 2.4.29, and includes bug fixes for CVEs which are linked     to in the References section.

    Security Fixes:

    * httpd: DoS for HTTP/2 connections by continuous SETTINGS (CVE-2018-11763)

    * httpd: Weak Digest auth nonce generation in mod_auth_digest     (CVE-2018-1312)

    * httpd: Out of bound access after failure in reading the HTTP request     (CVE-2018-1301)

    * httpd: Use-after-free on HTTP/2 stream shutdown (CVE-2018-1302)

    * httpd: <FilesMatch> bypass with a trailing newline in the file name     (CVE-2017-15715)

    * httpd: Out of bound write in mod_authnz_ldap when using too small     Accept-Language values (CVE-2017-15710)

    * httpd: Out of bounds read in mod_cache_socache can allow a remote     attacker to cause a denial of service (CVE-2018-1303)

    * httpd: Improper handling of headers in mod_session can allow a remote     user to modify session data for CGI applications (CVE-2018-1283)

    * httpd: mod_http2: too much time allocated to workers, possibly leading to     DoS (CVE-2018-1333)

    * mod_jk: connector path traversal due to mishandled HTTP requests in httpd     (CVE-2018-11759)

    * nghttp2: Null pointer dereference when too large ALTSVC frame is received     (CVE-2018-1000168)

    * openssl: Handling of crafted recursive ASN.1 structures can cause a stack     overflow and resulting denial of service (CVE-2018-0739)

    Details around each issue, including information about the CVE, severity of     the issue, and the CVSS score, can be found on the CVE pages listed in the     Reference section below.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the nghttp2 package has been released.

- update to the latest upstream release (fixes     CVE-2018-1000168)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for nodejs8 to version 8.11.3 fixes the following issues:
These security issues were fixed :

  - CVE-2018-7167: Calling Buffer.fill() or Buffer.alloc()     with some parameters could have lead to a hang which     could have resulted in a DoS (bsc#1097375).

  - CVE-2018-7161: By interacting with the http2 server in a     manner that triggered a cleanup bug where objects are     used in native code after they are no longer available     an attacker could have caused a denial of service (DoS)     by causing a node server providing an http2 server to     crash (bsc#1097404).

  - CVE-2018-1000168: Fixed a denial of service     vulnerability by unbundling nghttp2 (bsc#1097401)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Node.js installed on the remote host is 6.x prior to 6.14.3, 8.x prior to 8.11.3, 9.x prior to 9.11.2 or 10.x prior to 10.4.1. It is, therefore, affected by multiple vulnerabilities.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Node.js reports : Denial of Service Vulnerability in HTTP/2 (CVE-2018-7161) All versions of 8.x and later are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers a cleanup bug where objects are used in native code after they are no longer available. This has been addressed by updating the http2 implementation. Thanks to Jordan Zebor at F5 Networks for reporting this issue. Denial of Service, nghttp2 dependency (CVE-2018-1000168) All versions of 9.x and later are vulnerable and the severity is HIGH. Under certain conditions, a malicious client can trigger an uninitialized read (and a subsequent segfault) by sending a malformed ALTSVC frame. This has been addressed through an by updating nghttp2. Denial of Service Vulnerability in TLS (CVE-2018-7162) All versions of 9.x and later are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpected messages during the handshake. This vulnerability has been addressed by updating the TLS implementation. Thanks to Jordan Zebor at F5 Networks all of his help investigating this issue with the Node.js team. Memory exhaustion DoS on v9.x (CVE-2018-7164) Versions 9.7.0 and later are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by sending tiny chunks of data in short succession. This vulnerability was restored by reverting to the prior behaviour. Calls to Buffer.fill() and/or Buffer.alloc() may hang (CVE-2018-7167) Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases.

nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability appears to have been fixed in >= 1.31.1.
(CVE-2018-1000168)

nghttp2 blog :

If ALTSVC frame is received by libnghttp2 and it is larger than it can accept, the pointer field which points to ALTSVC frame payload is left NULL. Later libnghttp2 attempts to access another field through the pointer, and gets segmentation fault.

ALTSVC frame is defined by RFC 7838.

The largest frame size libnghttp2 accept is by default 16384 bytes.

Receiving ALTSVC frame is disabled by default. Application has to enable it explicitly by calling nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC).

Transmission of ALTSVC is always enabled, and it does not cause this vulnerability.

ALTSVC frame is expected to be sent by server, and received by client as defined in RFC 7838.

Client and server are both affected by this vulnerability if the reception of ALTSVC frame is enabled. As written earlier, it is useless to enable reception of ALTSVC frame on server side. So, server is generally safe unless application accidentally enabled the reception of ALTSVC frame.

ID	Name	Product	Family	Severity
204458	Photon OS 5.0: Cmake PHSA-2023-5.0-0035	Nessus	PhotonOS Local Security Checks	critical
203609	Photon OS 4.0: Nodejs PHSA-2023-4.0-0415	Nessus	PhotonOS Local Security Checks	high
154195	Debian DLA-2786-1 : nghttp2 - LTS security update	Nessus	Debian Local Security Checks	high
148164	SUSE SLES12 Security Update : nghttp2 (SUSE-SU-2021:0932-1) (Data Dribble) (Resource Loop)	Nessus	SuSE Local Security Checks	high
123217	openSUSE Security Update : nodejs8 (openSUSE-2019-513)	Nessus	SuSE Local Security Checks	high
122292	RHEL 6 / 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.29 (RHSA-2019:0367)	Nessus	Red Hat Local Security Checks	critical
121850	Photon OS 1.0: Nghttp2 PHSA-2018-1.0-0150	Nessus	PhotonOS Local Security Checks	high
120750	Fedora 28 : nghttp2 (2018-bdefa5e5bb)	Nessus	Fedora Local Security Checks	high
120038	SUSE SLES15 Security Update : nodejs8 (SUSE-SU-2018:1918-1)	Nessus	SuSE Local Security Checks	high
118957	Node.js multiple vulnerabilities (July 2018 Security Releases).	Nessus	Misc.	high
111095	openSUSE Security Update : nodejs8 (openSUSE-2018-724)	Nessus	SuSE Local Security Checks	high
110539	FreeBSD : node.js -- multiple vulnerabilities (45b8e2eb-7056-11e8-8fab-63ca6e0e13a2)	Nessus	FreeBSD Local Security Checks	high
110193	Amazon Linux 2 : nghttp2 (ALAS-2018-1020)	Nessus	Amazon Linux Local Security Checks	high
109226	Fedora 27 : nghttp2 (2018-cec96a9c41)	Nessus	Fedora Local Security Checks	high
109050	FreeBSD : nghttp2 -- Denial of service due to NULL pointer dereference (1fccb25e-8451-438c-a2b9-6a021e4d7a31)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2018-1000168

high

Tenable Plugins

critical

high

high

high

high

critical

high

high

high

high

high

high

high

high

high