Multiple nghttp2 Vulnerabilities Fixed in Ubuntu
Recently, the Ubuntu security team addressed several vulnerabilities in nghttp2, a crucial HTTP/2 C Library and tool, across various Ubuntu releases. In this article, we will explore these vulnerabilities and understand their potential impacts on the system.
nghttp2 Vulnerabilities in Ubuntu
CVE-2019-9511 and CVE-2019-9513 (CVSS v3 Score: 7.5 High)
nghttp2 incorrectly handled the HTTP/2 implementation, posing a threat wherein a remote attacker could exploit this flaw to trigger resource consumption, ultimately leading to a denial of service. Notably, this vulnerability affected Ubuntu 16.04 and Ubuntu 18.04 releases.
CVE-2023-44487 (CVSS v3 Score: 7.5 High)
This vulnerability pertained to the mishandling of request cancellation within nghttp2, potentially allowing remote attackers to exploit the flaw and consume resources, causing a denial of service. Similar to the previous vulnerabilities, this issue only impacted Ubuntu 16.04 and Ubuntu 18.04.
nghttp2 could be made to process an unlimited number of HTTP/2 CONTINUATION frames. This flaw allowed an attacker to cause nghttp2 to consume resources, leading to a denial of service. Unlike the prior vulnerabilities, this issue affected nghttp2 across various Ubuntu releases, including Ubuntu 23.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04, and Ubuntu 16.04.
Mitigation Measures
Thankfully, these vulnerabilities have been patched in the latest Ubuntu updates. To safeguard your Ubuntu systems, users are urged to promptly update their systems to the latest package versions. By applying the necessary updates, users can ensure their systems are protected against potential exploits targeting these nghttp2 vulnerabilities.
Since Ubuntu 16.04 and Ubuntu 18.04 have already reached the end of life, these updates are only available with a costly Ubuntu Pro subscription. Alternatively, users can utilize affordable solutions like TuxCare’s Extended Lifecycle Support for receiving security updates on their Ubuntu 16.04 and Ubuntu 18.04 systems. TuxCare offers an additional five years of vulnerability patching after the EOL date. With extended support, you can ensure your system stays protected from new vulnerabilities while you can focus on planning a sage migration.
Send questions to a TuxCare security expert to learn how Extended Lifecycle Support helps secure your end-of-life Linux OS.
Source: USN-6754-1