{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-27316", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-02-23T14:20:56.465Z", "datePublished": "2024-04-04T19:21:41.984Z", "dateUpdated": "2025-02-13T17:46:24.574Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache HTTP Server", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "2.4.58", "status": "affected", "version": "2.4.17", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Bartek Nowotarski (https://nowotarski.info/)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion."}], "value": "HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-07-29T22:06:03.835Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"url": "https://www.openwall.com/lists/oss-security/2024/04/03/16"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/04/4"}, {"url": "https://support.apple.com/kb/HT214119"}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/18"}], "source": {"discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2024-02-22T15:29:00.000Z", "value": "Reported to security team"}], "title": "Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "apache", "product": "http_server", "cpes": ["cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.4.17", "status": "affected", "lessThanOrEqual": "2.4.58", "versionType": "semver"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-07-29T15:46:29.859482Z", "id": "CVE-2024-27316", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-29T15:50:30.340Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:34:51.356Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"url": "https://www.openwall.com/lists/oss-security/2024/04/03/16", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/04/4", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214119", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/18", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/04/03/16", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/04/4", "tags": ["x_transferred"]}, {"url": "https://support.apple.com/kb/HT214119", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/18", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:34:51.356Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-27316", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-29T15:46:29.859482Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*"], "vendor": "apache", "product": "http_server", "versions": [{"status": "affected", "version": "2.4.17", "versionType": "semver", "lessThanOrEqual": "2.4.58"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-29T15:50:22.768Z"}}], "cna": {"title": "Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Bartek Nowotarski (https://nowotarski.info/)"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache HTTP Server", "versions": [{"status": "affected", "version": "2.4.17", "versionType": "semver", "lessThanOrEqual": "2.4.58"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-02-22T15:29:00.000Z", "value": "Reported to security team"}], "references": [{"url": "https://httpd.apache.org/security/vulnerabilities_24.html", "tags": ["vendor-advisory"]}, {"url": "https://www.openwall.com/lists/oss-security/2024/04/03/16"}, {"url": "http://www.openwall.com/lists/oss-security/2024/04/04/4"}, {"url": "https://support.apple.com/kb/HT214119"}, {"url": "http://seclists.org/fulldisclosure/2024/Jul/18"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.", "supportingMedia": [{"type": "text/html", "value": "HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-07-29T22:06:03.835Z"}}}, "cveMetadata": {"cveId": "CVE-2024-27316", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:46:24.574Z", "dateReserved": "2024-02-23T14:20:56.465Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-04-04T19:21:41.984Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "8379D2C9-34C1-40CC-A470-2436ED70EEBC", "versionEndExcluding": "2.4.59", "versionStartIncluding": "2.4.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*", "matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:ontap:9:*:*:*:*:*:*:*", "matchCriteriaId": "A20333EE-4C13-426E-8B54-D78679D5DDB8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion."}, {"lang": "es", "value": "Los encabezados entrantes HTTP/2 que exceden el l\u00edmite se almacenan temporalmente en nghttp2 para generar una respuesta HTTP 413 informativa. Si un cliente no deja de enviar encabezados, esto provoca que se agote la memoria."}], "id": "CVE-2024-27316", "lastModified": "2024-11-21T09:04:18.993", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-04-04T20:15:08.720", "references": [{"source": "security@apache.org", "url": "http://seclists.org/fulldisclosure/2024/Jul/18"}, {"source": "security@apache.org", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/04/04/4"}, {"source": "security@apache.org", "tags": ["Product", "Release Notes"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "security@apache.org", "url": "https://support.apple.com/kb/HT214119"}, {"source": "security@apache.org", "url": "https://www.openwall.com/lists/oss-security/2024/04/03/16"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2024/Jul/18"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2024/04/04/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product", "Release Notes"], "url": "https://httpd.apache.org/security/vulnerabilities_24.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://support.apple.com/kb/HT214119"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.openwall.com/lists/oss-security/2024/04/03/16"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Bartek Nowotarski (nowotarski.info) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-curl-0:8.7.1-2.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-httpd-0:2.4.57-10.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_http2-0:1.15.19-37.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_jk-0:1.2.49-6.redhat_1.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_md-1:2.4.24-6.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_proxy_cluster-0:1.3.20-4.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_security-0:2.9.3-36.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-nghttp2-0:1.43.0-13.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-curl-0:8.7.1-2.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-httpd-0:2.4.57-10.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_http2-0:1.15.19-37.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_jk-0:1.2.49-6.redhat_1.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_md-1:2.4.24-6.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_proxy_cluster-0:1.3.20-4.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_security-0:2.9.3-36.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2693", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-nghttp2-0:1.43.0-13.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:1786", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "httpd:2.4-8090020240405093943.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-04-11T00:00:00Z"}, {"advisory": "RHSA-2024:2907", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "httpd:2.4-8060020240422183714.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-05-20T00:00:00Z"}, {"advisory": "RHSA-2024:2891", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "httpd:2.4-8080020240502175002.63b34585", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-05-16T00:00:00Z"}, {"advisory": "RHSA-2024:1872", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "mod_http2-0:1.15.19-5.el9_3.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-18T00:00:00Z"}, {"advisory": "RHSA-2024:2564", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "mod_http2-0:2.0.26-2.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2024:3417", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "mod_http2-0:1.15.19-3.el9_0.6", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-05-28T00:00:00Z"}, {"advisory": "RHSA-2024:3402", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "mod_http2-0:1.15.19-4.el9_2.6", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-05-28T00:00:00Z"}, {"advisory": "RHSA-2024:5147", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "HTTP-2", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5144", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-bouncycastle-0:1.78.1-1.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5144", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-hal-console-0:3.3.23-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5144", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-ironjacamar-0:1.5.17-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5144", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jandex-0:2.4.5-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5144", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jboss-remoting-0:5.0.29-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5144", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jboss-server-migration-0:1.10.0-37.Final_redhat_00037.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5144", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-jboss-xnio-base-0:3.8.16-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5144", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-log4j-jboss-logmanager-0:1.3.1-1.Final_redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5144", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-netty-0:4.1.108-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5144", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-netty-transport-native-epoll-0:4.1.108-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5144", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-netty-xnio-transport-0:0.1.10-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5144", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-undertow-0:2.2.33-1.SP1_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5144", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-wildfly-0:7.4.18-1.GA_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5145", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-bouncycastle-0:1.78.1-1.redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5145", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-hal-console-0:3.3.23-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5145", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-ironjacamar-0:1.5.17-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5145", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jandex-0:2.4.5-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5145", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jboss-remoting-0:5.0.29-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5145", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jboss-server-migration-0:1.10.0-37.Final_redhat_00037.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5145", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-jboss-xnio-base-0:3.8.16-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5145", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-log4j-jboss-logmanager-0:1.3.1-1.Final_redhat_00002.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5145", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-netty-0:4.1.108-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5145", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-netty-transport-native-epoll-0:4.1.108-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5145", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-netty-xnio-transport-0:0.1.10-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5145", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-undertow-0:2.2.33-1.SP1_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5145", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-wildfly-0:7.4.18-1.GA_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5143", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-bouncycastle-0:1.78.1-1.redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5143", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-hal-console-0:3.3.23-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5143", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-ironjacamar-0:1.5.17-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5143", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jandex-0:2.4.5-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5143", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jboss-remoting-0:5.0.29-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5143", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jboss-server-migration-0:1.10.0-37.Final_redhat_00037.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5143", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-jboss-xnio-base-0:3.8.16-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5143", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-log4j-jboss-logmanager-0:1.3.1-1.Final_redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5143", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-netty-0:4.1.108-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5143", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-netty-transport-native-epoll-0:4.1.108-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5143", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-netty-xnio-transport-0:0.1.10-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5143", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-undertow-0:2.2.33-1.SP1_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:5143", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-wildfly-0:7.4.18-1.GA_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2024-08-08T00:00:00Z"}, {"advisory": "RHSA-2024:4392", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0", "package": "HTTP-2", "product_name": "Red Hat JBoss Enterprise Application Platform 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4390", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-hibernate-0:6.2.26-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4390", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jboss-remoting-0:5.0.29-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4390", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jboss-xnio-base-0:3.8.16-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4390", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-jose4j-0:0.9.6-1.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4390", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-undertow-0:2.3.14-1.SP1_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4390", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el8", "package": "eap8-wildfly-0:8.0.2-5.GA_redhat_00012.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4390", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-hibernate-0:6.2.26-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4390", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jboss-remoting-0:5.0.29-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4390", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jboss-xnio-base-0:3.8.16-1.Final_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4390", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-jose4j-0:0.9.6-1.redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4390", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-undertow-0:2.3.14-1.SP1_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4390", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8.0::el9", "package": "eap8-wildfly-0:8.0.2-5.GA_redhat_00012.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:2694", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "jbcs-httpd24-httpd", "product_name": "Text-Only JBCS", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2694", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "jbcs-httpd24-mod_http2", "product_name": "Text-Only JBCS", "release_date": "2024-05-07T00:00:00Z"}, {"advisory": "RHSA-2024:2694", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "jbcs-httpd24-nghttp2", "product_name": "Text-Only JBCS", "release_date": "2024-05-07T00:00:00Z"}], "bugzilla": {"description": "httpd: CONTINUATION frames DoS", "id": "2268277", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2268277"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["HTTP/2 incoming headers exceeding the limit are temporarily buffered in nghttp2 in order to generate an informative HTTP 413 response. If a client does not stop sending headers, this leads to memory exhaustion.", "A vulnerability was found in how Apache httpd implements the HTTP/2 protocol. There are insufficient limitations placed on the amount of CONTINUATION frames that can be sent within a single stream. This issue could allow an unauthenticated remote attacker to send packets to vulnerable servers, which could use up memory resources to cause a Denial of Service."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible."}, "name": "CVE-2024-27316", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Affected", "package_name": "HTTP-2", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:cryostat:2", "fix_state": "Affected", "package_name": "HTTP-2", "product_name": "Cryostat 2"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/elasticsearch-rhel8-operator", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Not affected", "package_name": "openshift-logging/fluentd-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:migration_toolkit_applications:6", "fix_state": "Will not fix", "package_name": "HTTP-2", "product_name": "Migration Toolkit for Applications 6"}, {"cpe": "cpe:/a:redhat:migration_toolkit_runtimes:1", "fix_state": "Affected", "package_name": "HTTP-2", "product_name": "Migration Toolkit for Runtimes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Not affected", "package_name": "multicluster-engine/console-mce-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:multicluster_engine", "fix_state": "Not affected", "package_name": "multicluster-engine/multicluster-engine-console-mce-rhel8", "product_name": "Multicluster Engine for Kubernetes"}, {"cpe": "cpe:/a:redhat:rhel_dotnet:6.0", "fix_state": "Affected", "package_name": "rh-dotnet60-dotnet", "product_name": ".NET 6.0 on Red Hat Enterprise Linux"}, {"cpe": "cpe:/a:redhat:ocp_tools", "fix_state": "Will not fix", "package_name": "jenkins", "product_name": "OpenShift Developer Tools and Services"}, {"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "HTTP-2", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-amp-backend-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/console-rhel9", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Will not fix", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:advanced_cluster_security:4", "fix_state": "Will not fix", "package_name": "advanced-cluster-security/rhacs-main-rhel8", "product_name": "Red Hat Advanced Cluster Security 4"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Not affected", "package_name": "HTTP-2", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Not affected", "package_name": "HTTP-2", "product_name": "Red Hat build of Apache Camel for Quarkus"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:3", "fix_state": "Not affected", "package_name": "HTTP-2", "product_name": "Red Hat build of Apache Camel for Spring Boot 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "HTTP-2", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:rhboac_hawtio:4", "fix_state": "Not affected", "package_name": "HTTP-2", "product_name": "Red Hat build of Apache Camel - HawtIO"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Not affected", "package_name": "HTTP-2", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Not affected", "package_name": "HTTP-2", "product_name": "Red Hat build of Debezium"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "HTTP-2", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Not affected", "package_name": "HTTP-2", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Affected", "package_name": "HTTP-2", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "libmicrohttpd", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "httpd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "keycloak-httpd-client-install", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "libmicrohttpd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "dotnet6.0", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dotnet6.0", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "HTTP-2", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "HTTP-2", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Not affected", "package_name": "HTTP-2", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Affected", "package_name": "mod_http2", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Affected", "package_name": "nghttp2", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Affected", "package_name": "HTTP-2", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "HTTP-2", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift_data_science", "fix_state": "Affected", "package_name": "rhods/odh-dashboard-rhel8", "product_name": "Red Hat OpenShift Data Science (RHODS)"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/code-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3:", "fix_state": "Affected", "package_name": "devspaces/pluginregistry-rhel8", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:openshift_gitops:1", "fix_state": "Affected", "package_name": "openshift-gitops-1/argocd-rhel8", "product_name": "Red Hat OpenShift GitOps"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "HTTP-2", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "netty-codec-http2", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:service_interconnect:1", "fix_state": "Will not fix", "package_name": "libwebsockets", "product_name": "Red Hat Service Interconnect 1"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Will not fix", "package_name": "HTTP-2", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "httpd24-httpd", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "httpd24-nghttp2", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Will not fix", "package_name": "HTTP-2", "product_name": "streams for Apache Kafka"}], "public_date": "2024-04-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-27316\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-27316\nhttps://httpd.apache.org/security/vulnerabilities_24.html\nhttps://nowotarski.info/http2-continuation-flood/\nhttps://www.kb.cert.org/vuls/id/421644"], "statement": "Red Hat rates the security impact of this vulnerability as Moderate, in alignment with upstream Apache. The worst case scenario is memory exhaustion causing a denial of service. Once an attack has ended, the system should return to normal operations on its own.\nThis vulnerability stems from an imperfect definition of the HTTP/2 protocol. As the httpd component is widely utilized across nearly every major Red Hat offering, a full listing of impacted packages will not be provided. Therefore, the \u201cAffected Packages and Issued Red Hat Security Errata\u201d section contains a simplified list of what offerings need to remediate this vulnerability. Every impacted offering has at least one representative component listed, but potentially not all of them.", "threat_severity": "Moderate", "upstream_fix": "httpd 2.4.59"}