What is the severity of CVE-2024-27983?

CVE-2024-27983 is classified as a denial-of-service vulnerability affecting Node.js HTTP/2 servers.

How do I fix CVE-2024-27983?

To mitigate CVE-2024-27983, ensure that your F5 BIG-IP and IBM Cognos Analytics software is updated to the latest patched versions.

What products are affected by CVE-2024-27983?

CVE-2024-27983 affects F5 BIG-IP versions 15.1.0 to 15.1.10, 16.1.0 to 16.1.4, and 17.1.0 to 17.1.1, as well as specific IBM Cognos Analytics versions.

Can CVE-2024-27983 lead to data loss?

CVE-2024-27983 primarily causes service unavailability, and while it may not directly lead to data loss, it can impact service accessibility.

What types of attacks exploit CVE-2024-27983?

CVE-2024-27983 can be exploited through sending a small number of malicious HTTP/2 frames to cause denial of service.

Vulnerability/
CVE-2024-27983

high

8.2

CWE

362

2/4/2024

9/4/2024

7/5/2024

17/1/2025

CVE-2024-27983: Race Condition

First published: Tue Apr 02 2024(Updated: )

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.

Credit: support@hackerone.com

Affected Software	Affected Version	How to fix
IBM Cognos Analytics	<=12.0.0-12.0.3
IBM Cognos Analytics	<=11.2.0-11.2.4 FP4
F5 BIG-IP and BIG-IQ Centralized Management	>=17.1.0<=17.1.2
F5 BIG-IP and BIG-IQ Centralized Management	>=16.1.0<=16.1.5
F5 BIG-IP and BIG-IQ Centralized Management	>=15.1.0<=15.1.10

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7177223

Frequently Asked Questions

What is the severity of CVE-2024-27983?
CVE-2024-27983 is classified as a denial-of-service vulnerability affecting Node.js HTTP/2 servers.
How do I fix CVE-2024-27983?
To mitigate CVE-2024-27983, ensure that your F5 BIG-IP and IBM Cognos Analytics software is updated to the latest patched versions.
What products are affected by CVE-2024-27983?
CVE-2024-27983 affects F5 BIG-IP versions 15.1.0 to 15.1.10, 16.1.0 to 16.1.4, and 17.1.0 to 17.1.1, as well as specific IBM Cognos Analytics versions.
Can CVE-2024-27983 lead to data loss?
CVE-2024-27983 primarily causes service unavailability, and while it may not directly lead to data loss, it can impact service accessibility.
What types of attacks exploit CVE-2024-27983?
CVE-2024-27983 can be exploited through sending a small number of malicious HTTP/2 frames to cause denial of service.

agent/weakness
agent/type
agent/author
agent/first-publish-date
collector/nvd-api
source/NVD
agent/severity
agent/description
agent/event
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2024-27983
collector/mitre-cve
source/MITRE
agent/references
agent/softwarecombine
agent/trending
agent/last-modified-date
agent/source
agent/tags
collector/ibm-support
source/IBM
agent/software-canonical-lookup
agent/software-canonical-lookup-request
collector/f5-advisory
source/F5
vendor/ibm
canonical/ibm cognos analytics
version/ibm cognos analytics/12.0.0-12.0.3
version/ibm cognos analytics/11.2.0-11.2.4 fp4
vendor/f5
canonical/f5 big-ip and big-iq centralized management
version/f5 big-ip and big-iq centralized management/17.1.0
version/f5 big-ip and big-iq centralized management/17.1.2
version/f5 big-ip and big-iq centralized management/16.1.0
version/f5 big-ip and big-iq centralized management/16.1.5
version/f5 big-ip and big-iq centralized management/15.1.0
version/f5 big-ip and big-iq centralized management/15.1.10