CVE-2024-24990 - OpenCVE

When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate. Note: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html . Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

No data.

No data.

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/05/30/4
https://mailman.nginx.org/pipermail/nginx-announce/2024/NW6MNW34VZ6HDIHH5YFBIJYZJN7FGNAV.html
https://my.f5.com/manage/s/article/K000138445
https://nvd.nist.gov/vuln/detail/CVE-2024-24990
https://www.cve.org/CVERecord?id=CVE-2024-24990

History

No history.

MITRE

Status: PUBLISHED

Assigner: f5

Published: 2024-02-14T16:30:26.445Z

Updated: 2024-08-01T23:36:21.362Z

Reserved: 2024-02-02T00:32:55.375Z

Link: CVE-2024-24990

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2024-02-14T17:15:15.713

Modified: 2024-06-10T17:16:21.730

Link: CVE-2024-24990

Redhat

Severity : Important

Publid Date: 2024-02-14T00:00:00Z

Links: CVE-2024-24990 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-24990", "assignerOrgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "state": "PUBLISHED", "assignerShortName": "f5", "dateReserved": "2024-02-02T00:32:55.375Z", "datePublished": "2024-02-14T16:30:26.445Z", "dateUpdated": "2024-08-01T23:36:21.362Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "modules": ["HTTP/3", "QUIC"], "product": "NGINX Plus", "vendor": "F5", "versions": [{"lessThan": "R31 P1", "status": "affected", "version": "R31", "versionType": "custom"}, {"lessThan": "R30 P2", "status": "affected", "version": "R30", "versionType": "custom"}]}, {"defaultStatus": "unknown", "modules": ["HTTP/3", "QUIC"], "product": "NGINX Open Source", "vendor": "F5", "versions": [{"lessThan": "1.25.4", "status": "affected", "version": "1.25.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "F5"}], "datePublic": "2024-02-14T15:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<p>When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate.</p><p><strong>Note</strong>: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to <a target=\"_blank\" rel=\"nofollow\" href=\"https://nginx.org/en/docs/quic.html\">Support for QUIC and HTTP/3</a>.</p>\n\n \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated"}], "value": "\nWhen NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate.\n\nNote: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html .\n\n\n\n \n\n\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "CWE-416 Use After Free", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "9dacffd4-cb11-413f-8451-fbbfd4ddc0ab", "shortName": "f5", "dateUpdated": "2024-02-14T16:30:26.445Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://my.f5.com/manage/s/article/K000138445"}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/30/4"}], "source": {"discovery": "INTERNAL"}, "title": "NGINX HTTP/3 QUIC vulnerability", "x_generator": {"engine": "F5 SIRTBot v1.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T23:36:21.362Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://my.f5.com/manage/s/article/K000138445"}, {"url": "http://www.openwall.com/lists/oss-security/2024/05/30/4", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"bugzilla": {"description": "nginx: Use-after-free in HTTP/3", "id": "2264298", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2264298"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-416", "details": ["When NGINX Plus or NGINX OSS are configured to use the HTTP/3 QUIC module, undisclosed requests can cause NGINX worker processes to terminate.\nNote: The HTTP/3 QUIC module is not enabled by default and is considered experimental. For more information, refer to Support for QUIC and HTTP/3 https://nginx.org/en/docs/quic.html .\nNote: Software versions which have reached End of Technical Support (EoTS) are not evaluated", "A flaw was found in the nginx HTTP/3 implementation. This issue may allow an attacker to use a specially crafted QUIC session to trigger a use-after-free condition, causing a worker process to crash, leading to a denial of service."], "name": "CVE-2024-24990", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Not affected", "package_name": "nginx", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nginx:1.22/nginx", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nginx:1.24/nginx", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nginx:1.22/nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "nginx:1.24/nginx", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nginx118-nginx", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nginx120-nginx", "product_name": "Red Hat Software Collections"}], "public_date": "2024-02-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-24990\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-24990\nhttps://mailman.nginx.org/pipermail/nginx-announce/2024/NW6MNW34VZ6HDIHH5YFBIJYZJN7FGNAV.html"], "statement": "The nginx package as shipped in Red Hat Enterprise Linux 8, 9 and RHSCL is not affected by this vulnerability because support for HTTP3 is not enabled and the vulnerable code was introduced in a newer version of nginx.", "threat_severity": "Important", "upstream_fix": "nginx 1.25.4"}