Bug 1735645 (CVE-2019-9512) - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth
Summary: CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-9512
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190813:1700...
Depends On: 1741989 1742247 1743207 1743471 1744308 1745594 1746484 1746485 1746486 1746490 1746492 1748583 1752474 1752684 1762051 1762052 1762053 1762054 1762055 1762056 1762057 1762058 1762059 1762060 1762061 1762062 1762063 1762064 1762065 1762066 1762067 1762068 1762069 1762070 1762071 1762072 1762073 1762074 1762075 1762076 1762077 1762078 1762079 1762080 1762081 1762082 1762088 1762089 1762090 1762091 1762092 1762093 1762094 1762095 1762096 1762097 1762098 1762099 1762100 1762101 1762102 1762103 1762104 1762105 1762106 1762107 1762108 1762109 1762110 1762111 1762112 1762113 1762114 1762115 1762116 1762117 1762118 1764858 1766208 1766209 1766211 1766212 1766214 1766215 1766217 1766218 1766288 1766293 1766294 1766296 1766297 1766299 1766300 1766302 1766303 1741815 1741816 1741988 1741996 1741997 1742245 1743206 1743469 1743470 1743472 1743473 1744305 1744306 1744307 1744309 1744310 1745709 1745710 1745711 1745712 1746638 1746640 1746645 1746646 1746650 1746652 1746653 1746654 1746659 1746661 1746664 1748714 1748715 1749139 1749141 1749427 1751879 1751880 1753271 1753451 1761818 1761819 1761820 1761821 1761822 1761823 1761824 1761825 1761826 1761827 1761828 1761829 1761830 1761832 1761873 1762121 1762122 1762123 1766207 1766210 1766213 1766216 1766282 1766283 1766284 1766289 1766290 1766292 1766295 1766298 1766301
Blocks: 1735750
TreeView+ depends on / blocked
 
Reported: 2019-08-01 08:00 UTC by Marian Rehak
Modified: 2019-11-12 07:34 UTC (History)
170 users (show)

Fixed In Version: envoy 1.11.1, golang 1.11.13, golang 1.12.8, Nodejs 8.16.1, Nodejs 10.16.3, Nodejs 12.8.1, gRPC-Go 1.21.3, gRPC-Go 1.22.2, gRPC-Go 1.23.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-17 22:55:25 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2886 None None None 2019-09-23 20:05:04 UTC
Red Hat Product Errata RHBA-2019:3213 None None None 2019-10-29 10:14:24 UTC
Red Hat Product Errata RHBA-2019:3289 None None None 2019-10-31 17:00:54 UTC
Red Hat Product Errata RHBA-2019:3291 None None None 2019-10-31 17:04:52 UTC
Red Hat Product Errata RHSA-2019:2594 None None None 2019-09-10 15:59:31 UTC
Red Hat Product Errata RHSA-2019:2661 None None None 2019-09-11 05:44:59 UTC
Red Hat Product Errata RHSA-2019:2682 None None None 2019-09-09 09:48:10 UTC
Red Hat Product Errata RHSA-2019:2690 None None None 2019-09-11 15:28:43 UTC
Red Hat Product Errata RHSA-2019:2726 None None None 2019-09-10 13:49:37 UTC
Red Hat Product Errata RHSA-2019:2766 None None None 2019-09-12 18:33:07 UTC
Red Hat Product Errata RHSA-2019:2769 None None None 2019-10-24 03:07:50 UTC
Red Hat Product Errata RHSA-2019:2796 None None None 2019-09-19 02:28:33 UTC
Red Hat Product Errata RHSA-2019:2861 None None None 2019-09-26 17:21:38 UTC
Red Hat Product Errata RHSA-2019:2925 None None None 2019-09-30 07:21:57 UTC
Red Hat Product Errata RHSA-2019:2939 None None None 2019-09-30 23:39:10 UTC
Red Hat Product Errata RHSA-2019:2955 None None None 2019-10-02 14:26:51 UTC
Red Hat Product Errata RHSA-2019:2966 None None None 2019-10-03 18:57:41 UTC
Red Hat Product Errata RHSA-2019:3131 None None None 2019-10-16 15:35:34 UTC
Red Hat Product Errata RHSA-2019:3245 None None None 2019-10-29 17:41:51 UTC
Red Hat Product Errata RHSA-2019:3265 None None None 2019-10-30 18:18:55 UTC

Description Marian Rehak 2019-08-01 08:00:20 UTC
HTTP/2 flood using PING frames and queueing of response PING ACK frames that results in unbounded memory growth.

Comment 1 Marian Rehak 2019-08-09 07:27:31 UTC
Acknowledgments:

Name: the Envoy security team

Comment 3 Timothy Walsh 2019-08-15 06:28:08 UTC
https://istio.io/blog/2019/announcing-1.2.4/

Comment 4 Marian Rehak 2019-08-15 12:54:09 UTC
Issue in golang:

https://github.com/golang/go/issues/33606

Comment 7 msiddiqu 2019-08-16 07:35:59 UTC
Created golang tracking bugs for this issue:

Affects: epel-all [bug 1741815]
Affects: fedora-all [bug 1741816]

Comment 9 msiddiqu 2019-08-16 14:30:46 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1741989]
Affects: fedora-all [bug 1741988]

Comment 10 msiddiqu 2019-08-16 14:38:19 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1741997]
Affects: fedora-all [bug 1741996]

Comment 11 msiddiqu 2019-08-16 18:14:43 UTC
Created nginx tracking bugs for this issue:

Affects: epel-all [bug 1742247]
Affects: fedora-all [bug 1742245]

Comment 22 Marco Benatto 2019-08-21 18:53:37 UTC
NodeJS upstream commit:
https://github.com/nodejs/node/commit/fd148d38d259fee8507cdb5c57dda82e1d1a4819

Comment 29 msiddiqu 2019-08-26 12:55:02 UTC
Created kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 1745594]

Comment 33 Marco Benatto 2019-08-26 16:41:45 UTC
golang has a bundled HTTP/2 implementation. Upstream commit containing the fix backport:
https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2

Comment 66 Marco Benatto 2019-09-03 21:33:41 UTC
Created undertow tracking bugs for this issue:

Affects: fedora-all [bug 1748583]

Comment 72 errata-xmlrpc 2019-09-09 09:48:06 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2019:2682 https://access.redhat.com/errata/RHSA-2019:2682

Comment 74 errata-xmlrpc 2019-09-10 13:49:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2726 https://access.redhat.com/errata/RHSA-2019:2726

Comment 75 errata-xmlrpc 2019-09-10 15:59:26 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2594 https://access.redhat.com/errata/RHSA-2019:2594

Comment 76 Product Security DevOps Team 2019-09-10 18:45:32 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9512

Comment 77 errata-xmlrpc 2019-09-11 05:44:54 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2661 https://access.redhat.com/errata/RHSA-2019:2661

Comment 78 errata-xmlrpc 2019-09-11 15:28:39 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.10

Via RHSA-2019:2690 https://access.redhat.com/errata/RHSA-2019:2690

Comment 80 errata-xmlrpc 2019-09-12 18:33:03 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2766 https://access.redhat.com/errata/RHSA-2019:2766

Comment 84 errata-xmlrpc 2019-09-19 02:28:27 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 14.0 (Rocky)

Via RHSA-2019:2796 https://access.redhat.com/errata/RHSA-2019:2796

Comment 88 errata-xmlrpc 2019-09-26 17:21:32 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2861 https://access.redhat.com/errata/RHSA-2019:2861

Comment 89 errata-xmlrpc 2019-09-30 07:21:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2925 https://access.redhat.com/errata/RHSA-2019:2925

Comment 90 errata-xmlrpc 2019-09-30 23:39:05 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2939 https://access.redhat.com/errata/RHSA-2019:2939

Comment 92 errata-xmlrpc 2019-10-02 14:26:46 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2955 https://access.redhat.com/errata/RHSA-2019:2955

Comment 93 errata-xmlrpc 2019-10-03 18:57:36 UTC
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2019:2966 https://access.redhat.com/errata/RHSA-2019:2966

Comment 94 Sam Fowler 2019-10-08 05:42:41 UTC
Statement:

The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019.
This issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2.
The following storage product versions are affected because they include the support for HTTP/2 in:
* golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3
* heketi(embeds golang) as shipped with Red Hat Gluster Storage 3
* grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3
This flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.

The nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.

All OpenShift Container Platform RPMs and container images that are built with Go and support HTTP/2 are vulnerable to this flaw.

Comment 102 errata-xmlrpc 2019-10-16 15:35:27 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:3131 https://access.redhat.com/errata/RHSA-2019:3131

Comment 106 errata-xmlrpc 2019-10-24 03:07:44 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.9

Via RHSA-2019:2769 https://access.redhat.com/errata/RHSA-2019:2769

Comment 114 errata-xmlrpc 2019-10-29 17:41:45 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2019:3245 https://access.redhat.com/errata/RHSA-2019:3245

Comment 115 errata-xmlrpc 2019-10-30 18:18:43 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:3265 https://access.redhat.com/errata/RHSA-2019:3265


Note You need to log in before you can comment on or make changes to this bug.