低危 nghttp2：太大的SETTINGS框架可能导致Do

CVE编号

CVE-2020-11080

利用情况

暂无

补丁情况

官方补丁

披露时间

2020-06-04

漏洞描述

在nghttp2中发现了资源消耗漏洞。此缺陷使攻击者可以重复构造一个过长的HTTP/2 SETTINGS帧，其长度为14,400字节，这会导致CPU使用率过高，从而导致拒绝服务。

解决建议

厂商已发布了漏洞修复程序，请及时关注更新：https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr

参考链接
http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html
https://github.com/nghttp2/nghttp2/commit/336a98feb0d56b9ac54e12736b18785c27f75090
https://github.com/nghttp2/nghttp2/commit/f8da73bd042f810f34d19f9eae02b46d870af394
https://github.com/nghttp2/nghttp2/security/advisories/GHSA-q5wr-xfw9-q7xr
https://lists.debian.org/debian-lts-announce/2021/10/msg00011.html
https://lists.debian.org/debian-lts-announce/2023/10/msg00023.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://www.debian.org/security/2020/dsa-4696
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2021.html
https://www.oracle.com/security-alerts/cpujul2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html

受影响软件情况

#	类型	厂商	产品	版本	影响面
1
	运行在以下环境
	应用	nghttp2	nghttp2	*		Up to (excluding) 1.41.0
	运行在以下环境
	系统	alpine_3.10	nghttp2	*		Up to (excluding) 1.39.2-r1
	运行在以下环境
	系统	alpine_3.11	nghttp2	*		Up to (excluding) 12.20.1-r0
	运行在以下环境
	系统	alpine_3.12	nghttp2	*		Up to (excluding) 12.18.3-r0
	运行在以下环境
	系统	alpine_3.13	nghttp2	*		Up to (excluding) 12.18.0-r0
	运行在以下环境
	系统	alpine_3.14	nghttp2	*		Up to (excluding) 12.18.0-r0
	运行在以下环境
	系统	alpine_3.15	nghttp2	*		Up to (excluding) 12.18.0-r0
	运行在以下环境
	系统	alpine_3.16	nghttp2	*		Up to (excluding) 12.18.0-r0
	运行在以下环境
	系统	alpine_3.17	nghttp2	*		Up to (excluding) 12.18.0-r0
	运行在以下环境
	系统	alpine_3.18	nghttp2	*		Up to (excluding) 12.18.0-r0
	运行在以下环境
	系统	alpine_3.9	nghttp2	*		Up to (excluding) 1.35.1-r2
	运行在以下环境
	系统	alpine_edge	nghttp2	*		Up to (excluding) 12.18.0-r0
	运行在以下环境
	系统	amazon_2	nghttp2	*		Up to (excluding) 1.41.0-1.amzn2
	运行在以下环境
	系统	amazon_AMI	nghttp2	*		Up to (excluding) 1.33.0-1.1.6.amzn1
	运行在以下环境
	系统	anolis_os_8	nghttp2	*		Up to (excluding) 1.33.0-3
	运行在以下环境
	系统	anolis_os_8.2	libnghttp2	*		Up to (excluding) 1.33.0-3
	运行在以下环境
	系统	centos_8	libnghttp2-debuginfo	*		Up to (excluding) 12.18.2-1.module+el8.2.0+7233+61d664c1
	运行在以下环境
	系统	debian_10	nghttp2	*		Up to (excluding) 1.36.0-2+deb10u2
	运行在以下环境
	系统	debian_11	nghttp2	*		Up to (excluding) 1.41.0-1
	运行在以下环境
	系统	debian_12	nghttp2	*		Up to (excluding) 1.41.0-1
	运行在以下环境
	系统	debian_9	nghttp2	*		Up to (excluding) 1.18.1-1+deb9u2
	运行在以下环境
	系统	debian_sid	nghttp2	*		Up to (excluding) 1.41.0-1
	运行在以下环境
	系统	fedora_31	nghttp2	*		Up to (excluding) 1.41.0-1.fc31
	运行在以下环境
	系统	fedora_32_Modular	nodejs	*		Up to (excluding) 14-3220201203015508.43bbeeef
	运行在以下环境
	系统	fedora_33	npm-6.14.8-1.14.15.1.1.fc33.x86_64.rpm (	*		Up to (excluding) 14.15.1-1.fc33
	运行在以下环境
	系统	fedora_33_Modular	nodejs	*		Up to (excluding) 14-3320201203015508.601d93de
	运行在以下环境
	系统	fedora_EPEL_7	nghttp2	*		Up to (excluding) 1.33.0-1.1.el7
	运行在以下环境
	系统	opensuse_Leap_15.1	nodejs8-devel	*		Up to (excluding) 8.17.0-lp151.2.15.1
	运行在以下环境
	系统	opensuse_Leap_15.2	libnghttp2_asio1-32bit	*		Up to (excluding) 1.40.0-lp152.2.6.1
	运行在以下环境
	系统	oracle_7	kernel	*		Up to (excluding) 1.7.3-1.0.5.el7
	运行在以下环境
	系统	oracle_8	oraclelinux-release	*		Up to (excluding) 1.18.3-1.module+el8.1.0+5392+4d6b561f
	运行在以下环境
系统	redhat_8	libnghttp2-debuginfo	*		Up to (excluding) 12.18.2-1.module+el8.2.0+7233+61d664c1
运行在以下环境
系统	suse_12	nodejs10	*		Up to (excluding) 10.21.0-1.24
运行在以下环境
系统	suse_12_SP5	libnghttp2	*		Up to (excluding) 14-1.39.2-3.5.1
运行在以下环境
系统	ubuntu_20.04	nghttp2	*		Up to (excluding) 1.40.0-1ubuntu0.1
运行在以下环境
系统	unionos_d	nghttp2	*		Up to (excluding) 1.36.0.2-deepin1

阿里云评分 3.1

• 攻击路径 远程
• 攻击复杂度 复杂
• 权限要求 无需权限
• 影响范围 有限影响
• EXP成熟度 未验证
• 补丁情况 官方补丁
• 数据保密性 无影响
• 数据完整性 无影响
• 服务器危害 无影响
• 全网数量 100

CWE-ID	漏洞类型
CWE-400	未加控制的资源消耗（资源穷尽）
CWE-707	对消息或数据结构的处理不恰当

Exp相关链接

- avd.aliyun.com