Bug 1735741 (CVE-2019-9513)
Summary: | CVE-2019-9513 HTTP/2: flood using PRIORITY frames results in excessive resource consumption | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | affix, ahardin, aileenc, akoufoud, alazarot, almorale, anstephe, asoldano, ataylor, athmanem, avibelli, bavery, bbaranow, bdettelb, bgeorges, bleanhar, bmaxwell, bmontgom, bnater, brian.stansberry, ccoleman, cdewolf, chazlett, csutherl, dajohnso, darran.lofthouse, dbeveniu, dedgar, dmetzger, dosoudil, drieden, eparis, etirelli, extras-orphan, ganandan, gblomqui, ggaughan, gmainwar, gmccullo, gtanzill, gzaronik, hesilva, hhorak, ibek, iweiss, janstey, jawilson, jbalunas, jburrell, jclere, jeremy, jfrey, jgoulding, jhardy, jkaluza, jlaska, jochrist, jokerman, jorton, jpallich, jperkins, jprause, jschorr, kconner, kdixon, kdudka, krathod, kverlaen, kvolny, kwills, lef, lgao, lpetrovi, lthon, luhliari, mbabacek, mbenatto, mchappel, mnovotny, mrunge, msekleta, msochure, msvehla, mszynkie, mturk, mvanderw, myarboro, nodejs-maint, nodejs-sig, nstielau, nwallace, obarenbo, paradhya, pavel.lisy, pdrozd, peter.borsa, pgallagh, pmackay, psotirop, puntogil, rguimara, roliveri, rrajasek, rruss, rsvoboda, rsynek, sdaley, security-response-team, sgallagh, simaishi, smaestri, sponnaga, sthorger, tchollingsworth, thrcka, tomckay, tom.jenkinson, trogers, twalsh, weli, wtogami, zsvetlik |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | envoy 1.11.1, Nodejs 8.16.1, Nodejs 10.16.3, Nodejs 12.8.1, nginx 1.16.1, nginx 1.17.3, nghttp2 1.39.2 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in HTTP/2. An attacker, using PRIORITY frames to flood the system, could cause excessive CPU usage and starvation of other clients. The largest threat from this vulnerability is to system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-09-10 00:45:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1741965, 1741967, 1741971, 1742011, 1742294, 1742296, 1744325, 1744326, 1744327, 1744328, 1744330, 1744331, 1744332, 1744333, 1744574, 1744576, 1744591, 1744592, 1744593, 1744594, 1744595, 1744598, 1744832, 1745689, 1745690, 1745691, 1745692, 1746420, 1748602, 1752527, 1752542 | ||
Bug Blocks: | 1735750 |
Description
Marian Rehak
2019-08-01 11:34:46 UTC
Acknowledgments: Name: the Envoy security team Created nghttp2 tracking bugs for this issue: Affects: epel-all [bug 1741965] Created nodejs tracking bugs for this issue: Affects: epel-all [bug 1741971] Affects: fedora-all [bug 1741967] Created nghttp2 tracking bugs for this issue: Affects: fedora-all [bug 1742011] Created nginx tracking bugs for this issue: Affects: epel-all [bug 1742296] Affects: fedora-all [bug 1742294] Upstream commit for NGINX: http://hg.nginx.org/nginx/rev/45415228990b External References: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ https://nghttp2.org/blog/2019/08/19/nghttp2-v1-39-2/ Mitigation: Red Hat Quay 3.0 uses Nginx 1.12 from Red Hat Software Collections. It will be updated once a fixed is released for Software Collections. In the meantime users of Quay can disable http/2 support in Nginx by following these instructions: 1. Copy the Nginx configuration from the quay container to the host $ docker cp 3aadf1421ba3:/quay-registry/conf/nginx/ /mnt/quay/nginx 2. Edit the Nginx configuration, removing http/2 support $ sed -i 's/http2 //g' /mnt/quay/nginx/nginx.conf 3. Restart Nginx with the new configuration mounted into the container, eg: $ docker run --restart=always -p 443:8443 -p 80:8080 --sysctl net.core.somaxconn=4096 -v /mnt/quay/config:/conf/stack:Z -v /mnt/quay/storage:/datastorage -v /mnt/quay/nginx:/quay-registry/config/nginx:Z -d quay.io/redhat/quay:v3.0.3 Upstream commits for nghttp2 seems to be: https://github.com/nghttp2/nghttp2/commit/95efb3e19d174354ca50c65d5d7227d92bcd60e1 https://github.com/nghttp2/nghttp2/commit/0a6ce87c22c69438ecbffe52a2859c3a32f1620f https://github.com/nghttp2/nghttp2/commit/319d5ab1c6d916b6b8a0d85b2ae3f01b3ad04f2c (In reply to Marco Benatto from comment #16) > Upstream commits for nghttp2 seems to be: That is exactly what I backported for epel-7: https://src.fedoraproject.org/rpms/nghttp2/blob/epel7/f/nghttp2-1.31.1-CVE-2019-9511-and-CVE-2019-9513.patch I thought it fixes also CVE-2019-9511, doesn't it? In reply to comment #18: > (In reply to Marco Benatto from comment #16) > > Upstream commits for nghttp2 seems to be: > > That is exactly what I backported for epel-7: > > https://src.fedoraproject.org/rpms/nghttp2/blob/epel7/f/nghttp2-1.31.1-CVE- > 2019-9511-and-CVE-2019-9513.patch > > I thought it fixes also CVE-2019-9511, doesn't it? It seems to be. The git changelog doesn't provide specific information about what commit fix which CVE, but give the flaws descriptions and the commit context they seems to be the right one. I'm double checking with upstream maintainers and will update this bug in case we get something different. Thank you for clarifying it! NodeJS upstream commits: https://github.com/nodejs/node/commit/74507fae34 https://github.com/nodejs/node/commit/a397c881ec https://github.com/nodejs/node/commit/fedfa12a33 https://github.com/nodejs/node/commit/ab0f2ace36 https://github.com/nodejs/node/commit/0acbe05ee2 https://github.com/nodejs/node/commit/7f11465572 https://github.com/nodejs/node/commit/2eb914ff5f In reply to comment #20: > Thank you for clarifying it! I've heard back from upstream, according Tatsushiro the commit which fixes both CVE-2019-9513 and CVE-2019-9511 is: https://github.com/nghttp2/nghttp2/commit/95efb3e19d174354ca50c65d5d7227d92bcd60e1 His reply: "Tatsuhiro Tsujikawa 10:05 AM (1 hour ago) to me Hi, On Thu, Aug 22, 2019 at 9:59 PM Marco Benatto <mbenatto> wrote: Hello Tatsuhiro, I'm Marco Benatto, I'm a Sr. Product Security Engineer at Red Hat and I'm working over the analysis for the CVEs mentioned on the subject and its fixes for nghttp2. Sorry to bother you but may I have your help to confirm/identify which commits fixes those CVES? Should it be: https://github.com/nghttp2/nghttp2/commit/95efb3e19d174354ca50c65d5d7227d92bcd60e1 https://github.com/nghttp2/nghttp2/commit/0a6ce87c22c69438ecbffe52a2859c3a32f1620f https://github.com/nghttp2/nghttp2/commit/319d5ab1c6d916b6b8a0d85b2ae3f01b3ad04f2c https://github.com/nghttp2/nghttp2/commit/95efb3e19d174354ca50c65d5d7227d92bcd60e1 fixes the CVE. Best regards, Tatsuhiro Tsujikawa" Created undertow tracking bugs for this issue: Affects: fedora-all [bug 1748602] Statement: This flaw has no available mitigation for packages nghttp2 and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections. The nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2692 https://access.redhat.com/errata/RHSA-2019:2692 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-9513 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2019:2745 https://access.redhat.com/errata/RHSA-2019:2745 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:2746 https://access.redhat.com/errata/RHSA-2019:2746 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:2775 https://access.redhat.com/errata/RHSA-2019:2775 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2799 https://access.redhat.com/errata/RHSA-2019:2799 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2925 https://access.redhat.com/errata/RHSA-2019:2925 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:2939 https://access.redhat.com/errata/RHSA-2019:2939 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:2949 https://access.redhat.com/errata/RHSA-2019:2949 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:2955 https://access.redhat.com/errata/RHSA-2019:2955 This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2019:2966 https://access.redhat.com/errata/RHSA-2019:2966 This issue has been addressed in the following products: Openshift Service Mesh 1.0 OpenShift Service Mesh 1.0 Via RHSA-2019:3041 https://access.redhat.com/errata/RHSA-2019:3041 This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2019:3935 https://access.redhat.com/errata/RHSA-2019:3935 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2019:3933 https://access.redhat.com/errata/RHSA-2019:3933 This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2019:3932 https://access.redhat.com/errata/RHSA-2019:3932 This issue has been addressed in the following products: Red Hat Fuse 7.6.0 Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983 |