Bug 1741868 (CVE-2019-9517)
| Summary: | CVE-2019-9517 HTTP/2: request for large response leads to denial of service | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | affix, ahardin, aileenc, akoufoud, alazarot, almorale, anstephe, asoldano, ataylor, athmanem, avibelli, bbaranow, bdettelb, bgeorges, bleanhar, bmaxwell, bmontgom, bnater, brian.stansberry, ccoleman, cdewolf, chazlett, csutherl, dajohnso, darran.lofthouse, dbeveniu, dedgar, dmetzger, dosoudil, drieden, eparis, etirelli, extras-orphan, ganandan, gblomqui, ggaughan, gmainwar, gmccullo, gtanzill, gzaronik, hesilva, hhorak, ibek, iweiss, janstey, jawilson, jbalunas, jburrell, jclere, jeremy, jfrey, jgoulding, jhardy, jkaluza, jlaska, jochrist, jokerman, jorton, jpallich, jperkins, jprause, jschorr, kdixon, kdudka, krathod, kverlaen, kwills, lef, lgao, lthon, luhliari, mbabacek, mbenatto, mchappel, mnovotny, mrunge, msekleta, msochure, msvehla, mszynkie, mturk, myarboro, nodejs-maint, nodejs-sig, nstielau, nwallace, obarenbo, paradhya, pavel.lisy, pdrozd, peter.borsa, pgallagh, pjindal, pmackay, psotirop, puntogil, rfreire, rguimara, roliveri, rrajasek, rruss, rsvoboda, rsynek, sdaley, security-response-team, sgallagh, simaishi, smaestri, sponnaga, sthorger, tchollingsworth, thrcka, tomckay, tom.jenkinson, trogers, twalsh, weli, wtogami, yozone, ysoni, zsvetlik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Nodejs 8.16.1, Nodejs 10.16.3, Nodejs 12.8.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A vulnerability was found in HTTP/2. An attacker can open a HTTP/2 window so the peer can send without constraint. The TCP window remains closed so the peer cannot write the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the server's queue is setup, the responses can consume excess memory, CPU, or both, potentially leading to a denial of service. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-09-24 18:45:45 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1741948, 1741974, 1742093, 1742411, 1742412, 1745152, 1745154, 1745155, 1745157, 1745158, 1745159, 1745160, 1745161, 1745682, 1745683, 1748608 | ||
| Bug Blocks: | 1735750 | ||
|
Description
Dhananjay Arunesh
2019-08-16 09:57:08 UTC
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1741869] Created mod_http2 tracking bugs for this issue: Affects: fedora-all [bug 1741948] Created nghttp2 tracking bugs for this issue: Affects: fedora-all [bug 1741947] Created nghttp2 tracking bugs for this issue: Affects: epel-all [bug 1741950] Created nodejs tracking bugs for this issue: Affects: fedora-all [bug 1741974] Created nodejs tracking bugs for this issue: Affects: epel-all [bug 1742093] Created nginx tracking bugs for this issue: Affects: epel-all [bug 1742412] Affects: fedora-all [bug 1742411] External References: https://kb.cert.org/vuls/id/605641/ https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ NodeJS upstream commits: https://github.com/nodejs/node/commit/c152449012 https://github.com/nodejs/node/commit/0ce699c7b1 mod_http2 upstream commit: https://github.com/icing/mod_h2/commit/dd05d49abe0f67512ce9ed5ba422d7711effecfb Mitigation: The httpd version shipped with Red Hat Enterprise Linux 8 provides HTTP/2 support through mod_http2 package. While mod_http2 package is not updated, users can disable HTTP/2 support as mitigation action by executing the following steps: 1. Stop httpd service: $ systemctl stop httpd 2. Remove http/2 protocol support from configuration files: $ sed -i 's/\(h2\)\|\(h2c\)//g' <httpd_config_file> 3. Validate configuration files to make sure all syntax is valid: $ apachectl configtest 4. Restart httpd service: $ systemctl start httpd Created undertow tracking bugs for this issue: Affects: fedora-all [bug 1748608] Statement: The package httpd versions as shipped with Red Hat Enterprise Linux 5, 6 and 7 are not affected by this issue as HTTP/2 support is not provided. This flaw has no available mitigation for nodejs package. It will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections. The nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2893 https://access.redhat.com/errata/RHSA-2019:2893 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-9517 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2925 https://access.redhat.com/errata/RHSA-2019:2925 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:2939 https://access.redhat.com/errata/RHSA-2019:2939 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services on RHEL 6 Via RHSA-2019:2946 https://access.redhat.com/errata/RHSA-2019:2946 This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2019:2950 https://access.redhat.com/errata/RHSA-2019:2950 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:2949 https://access.redhat.com/errata/RHSA-2019:2949 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:2955 https://access.redhat.com/errata/RHSA-2019:2955 This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2019:3935 https://access.redhat.com/errata/RHSA-2019:3935 This issue has been addressed in the following products: JBoss Core Services on RHEL 7 Via RHSA-2019:3933 https://access.redhat.com/errata/RHSA-2019:3933 This issue has been addressed in the following products: JBoss Core Services on RHEL 6 Via RHSA-2019:3932 https://access.redhat.com/errata/RHSA-2019:3932 This issue has been addressed in the following products: Red Hat AMQ Via RHSA-2020:0922 https://access.redhat.com/errata/RHSA-2020:0922 This issue has been addressed in the following products: Red Hat Fuse 7.6.0 Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983 This issue has been addressed in the following products: Red Hat AMQ 7.4.3 Via RHSA-2020:1445 https://access.redhat.com/errata/RHSA-2020:1445 |