Bug 1741860 (CVE-2019-9511)
| Summary: | CVE-2019-9511 HTTP/2: large amount of data requests leads to denial of service | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aboyko, affix, ahardin, aileenc, akarol, akostadi, akoufoud, alazarot, almorale, amasferr, anstephe, aschwart, asoldano, atangrin, ataylor, athmanem, avibelli, bbaranow, bdettelb, bgeorges, bleanhar, bmaxwell, bmontgom, bnater, boliveir, brian.stansberry, cbartlet, ccoleman, cdewolf, chazlett, cperry, csutherl, dajohnso, darran.lofthouse, dbeveniu, dbruscin, dedgar, dhanak, dkreling, dmayorov, dmetzger, doconnor, dosoudil, drieden, drosa, eparis, etirelli, extras-orphan, fjuma, ganandan, gblomqui, ggaughan, gmainwar, gmalinko, gmccullo, gtanzill, gzaronik, hello, hesilva, hhorak, ibek, istudens, ivassile, iweiss, jamacku, janstey, jawilson, jbalunas, jburrell, jclere, jeremy, jfrey, jgoulding, jhardy, jkaluza, jlaska, jlledo, jochrist, jokerman, jorton, jpallich, jperkins, jprause, jrokos, jross, jschorr, jwon, kdixon, kdudka, krathod, kvanderr, kverlaen, kvolny, kwills, lef, lgao, lpetrovi, lthon, luhliari, mabashia, mbabacek, mbenatto, mchappel, mkudlej, mmakovy, mnovotny, mosmerov, mposolda, mrunge, msekleta, msochure, msvehla, mszynkie, mturk, myarboro, nodejs-maint, nodejs-sig, nstielau, nwallace, obarenbo, paradhya, pavel.lisy, pdelbell, pdrozd, pesilva, pgallagh, pjindal, plodge, pmackay, psotirop, puntogil, rguimara, rkieley, roliveri, rrajasek, rruss, rstancel, rstepani, rsvoboda, rsynek, sausingh, sdaley, security-response-team, sgallagh, simaishi, smaestri, smallamp, smcdonal, sponnaga, ssilvert, sthorger, szappis, tchollingsworth, teagle, thrcka, tjochec, tomckay, tom.jenkinson, trogers, twalsh, vkrizan, vmuzikar, weli, wtogami, ysoni, zsvetlik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Nodejs 8.16.1, Nodejs 10.16.3, Nodejs 12.8.1, nginx 1.16.1, nginx 1.17.3 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in HTTP/2. An attacker can request a large amount of data by manipulating window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this queue can consume excess CPU, memory, or both, leading to a denial of service. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-09-10 00:45:40 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1741947, 1741948, 1741950, 1741981, 1741982, 1742375, 1742376, 1744802, 1744804, 1744806, 1744807, 1744808, 1744809, 1744810, 1744811, 1744813, 1744814, 1744815, 1744816, 1744817, 1744818, 1744819, 1744821, 1744823, 1744824, 1744825, 1744831, 1744997, 1744999, 1745694, 1745695, 1745696, 1745697, 1746421, 1748606, 1752524, 1752545 | ||
| Bug Blocks: | 1735750 | ||
|
Description
Dhananjay Arunesh
2019-08-16 09:39:58 UTC
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1741861] Created mod_http2 tracking bugs for this issue: Affects: fedora-all [bug 1741948] Created nghttp2 tracking bugs for this issue: Affects: fedora-all [bug 1741947] Created nghttp2 tracking bugs for this issue: Affects: epel-all [bug 1741950] Created nodejs tracking bugs for this issue: Affects: epel-all [bug 1741982] Affects: fedora-all [bug 1741981] External References: https://kb.cert.org/vuls/id/605641/ https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ Created nginx tracking bugs for this issue: Affects: epel-all [bug 1742376] Affects: fedora-all [bug 1742375] Created nghttp2 tracking bugs for this issue: Affects: epel-all [bug 1744803] Affects: fedora-all [bug 1744802] NodeJS upstream commits for this issue: https://github.com/nodejs/node/commit/c152449012 https://github.com/nodejs/node/commit/0ce699c7b1 nghttp2 upstream commit for this issue: https://github.com/nghttp2/nghttp2/commit/95efb3e19d174354ca50c65d5d7227d92bcd60e1 NGINX upstream commit: http://hg.nginx.org/nginx/rev/99b6733876c4 Created undertow tracking bugs for this issue: Affects: fedora-all [bug 1748606] This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2692 https://access.redhat.com/errata/RHSA-2019:2692 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-9511 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 6 Via RHSA-2019:2745 https://access.redhat.com/errata/RHSA-2019:2745 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:2746 https://access.redhat.com/errata/RHSA-2019:2746 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:2775 https://access.redhat.com/errata/RHSA-2019:2775 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2799 https://access.redhat.com/errata/RHSA-2019:2799 Mitigation: Red Hat Quay 3.0 uses Nginx 1.12 from Red Hat Software Collections. It will be updated once a fixed is released for Software Collections. In the meantime users of Quay can disable http/2 support in Nginx by following these instructions: 1. Copy the Nginx configuration from the quay container to the host $ docker cp 3aadf1421ba3:/quay-registry/conf/nginx/ /mnt/quay/nginx 2. Edit the Nginx configuration, removing http/2 support $ sed -i 's/http2 //g' /mnt/quay/nginx/nginx.conf 3. Restart Nginx with the new configuration mounted into the container, eg: $ docker run --restart=always -p 443:8443 -p 80:8080 --sysctl net.core.somaxconn=4096 -v /mnt/quay/config:/conf/stack:Z -v /mnt/quay/storage:/datastorage -v /mnt/quay/nginx:/quay-registry/config/nginx:Z -d quay.io/redhat/quay:v3.0.3 @chazlett, May I know why creating undertow tracking bugs since it is not affected(according to your previous comment #c65)? This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2925 https://access.redhat.com/errata/RHSA-2019:2925 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:2939 https://access.redhat.com/errata/RHSA-2019:2939 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:2949 https://access.redhat.com/errata/RHSA-2019:2949 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:2955 https://access.redhat.com/errata/RHSA-2019:2955 This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2019:2966 https://access.redhat.com/errata/RHSA-2019:2966 This issue has been addressed in the following products: Openshift Service Mesh 1.0 OpenShift Service Mesh 1.0 Via RHSA-2019:3041 https://access.redhat.com/errata/RHSA-2019:3041 As per the pull request sent for JBoss EAP for this issue, undertow version 2.0.24 should include the fix and RHSSO 7.3.4 (latest GA version available) ships undertow-core-2.0.25.SP1-redhat-00001.jar so it should already includes the fix so I am marking RHSSO as not affected. This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2019:3935 https://access.redhat.com/errata/RHSA-2019:3935 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2019:3933 https://access.redhat.com/errata/RHSA-2019:3933 This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2019:3932 https://access.redhat.com/errata/RHSA-2019:3932 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2019:4018 https://access.redhat.com/errata/RHSA-2019:4018 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2019:4020 https://access.redhat.com/errata/RHSA-2019:4020 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2019:4021 https://access.redhat.com/errata/RHSA-2019:4021 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2019:4019 https://access.redhat.com/errata/RHSA-2019:4019 This issue has been addressed in the following products: Red Hat AMQ Via RHSA-2020:0922 https://access.redhat.com/errata/RHSA-2020:0922 This issue has been addressed in the following products: Red Hat AMQ 7.4.3 Via RHSA-2020:1445 https://access.redhat.com/errata/RHSA-2020:1445 Statement: There are no mitigations available for nghttp2 and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections. The nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code. This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2565 https://access.redhat.com/errata/RHSA-2020:2565 This issue has been addressed in the following products: Red Hat Fuse 7.7.0 Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 EUS for RHEL 7 Via RHSA-2024:5856 https://access.redhat.com/errata/RHSA-2024:5856 |