ClickCease Multiple nghttp2 Vulnerabilities Fixed in Ubuntu

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Multiple nghttp2 Vulnerabilities Fixed in Ubuntu

by Rohan Timalsina

May 6, 2024 - TuxCare expert team

Recently, the Ubuntu security team addressed several vulnerabilities in nghttp2, a crucial HTTP/2 C Library and tool, across various Ubuntu releases. In this article, we will explore these vulnerabilities and understand their potential impacts on the system.

 

nghttp2 Vulnerabilities in Ubuntu

 

CVE-2019-9511 and CVE-2019-9513 (CVSS v3 Score: 7.5 High)

nghttp2 incorrectly handled the HTTP/2 implementation, posing a threat wherein a remote attacker could exploit this flaw to trigger resource consumption, ultimately leading to a denial of service. Notably, this vulnerability affected Ubuntu 16.04 and Ubuntu 18.04 releases.

 

CVE-2023-44487 (CVSS v3 Score: 7.5 High)

This vulnerability pertained to the mishandling of request cancellation within nghttp2, potentially allowing remote attackers to exploit the flaw and consume resources, causing a denial of service. Similar to the previous vulnerabilities, this issue only impacted Ubuntu 16.04 and Ubuntu 18.04.

 

CVE-2024-28182

nghttp2 could be made to process an unlimited number of HTTP/2 CONTINUATION frames. This flaw allowed an attacker to cause nghttp2 to consume resources, leading to a denial of service. Unlike the prior vulnerabilities, this issue affected nghttp2 across various Ubuntu releases, including Ubuntu 23.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04, and Ubuntu 16.04.

 

Mitigation Measures

 

Thankfully, these vulnerabilities have been patched in the latest Ubuntu updates. To safeguard your Ubuntu systems, users are urged to promptly update their systems to the latest package versions. By applying the necessary updates, users can ensure their systems are protected against potential exploits targeting these nghttp2 vulnerabilities.

Since Ubuntu 16.04 and Ubuntu 18.04 have already reached the end of life, these updates are only available with a costly Ubuntu Pro subscription. Alternatively, users can utilize affordable solutions like TuxCare’s Extended Lifecycle Support for receiving security updates on their Ubuntu 16.04 and Ubuntu 18.04 systems. TuxCare offers an additional five years of vulnerability patching after the EOL date. With extended support, you can ensure your system stays protected from new vulnerabilities while you can focus on planning a sage migration.

Send questions to a TuxCare security expert to learn how Extended Lifecycle Support helps secure your end-of-life Linux OS.

 

Source: USN-6754-1

Summary
Multiple nghttp2 Vulnerabilities Fixed in Ubuntu
Article Name
Multiple nghttp2 Vulnerabilities Fixed in Ubuntu
Description
Learn about high severity nghttp2 vulnerabilities addressed in latest Ubuntu security updates. Protect your Ubuntu systems from DoS attacks!
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Become a TuxCare Guest Writer

Mail

Help Us Understand
the Linux Landscape!

Complete our survey on the state of Open Source and you could win one of several prizes, with the top prize valued at $500!

Your expertise is needed to shape the future of Enterprise Linux!