Bug 1741868 (CVE-2019-9517) - CVE-2019-9517 HTTP/2: request for large response leads to denial of service
Summary: CVE-2019-9517 HTTP/2: request for large response leads to denial of service
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-9517
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1742093 1741948 1741974 1742411 1742412 1745152 1745154 1745155 1745157 1745158 1745159 1745160 1745161 1745682 1745683 1748608
Blocks: 1735750
TreeView+ depends on / blocked
 
Reported: 2019-08-16 09:57 UTC by Dhananjay Arunesh
Modified: 2020-05-18 10:45 UTC (History)
121 users (show)

Fixed In Version: Nodejs 8.16.1, Nodejs 10.16.3, Nodejs 12.8.1
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in HTTP/2. An attacker can open a HTTP/2 window so the peer can send without constraint. The TCP window remains closed so the peer cannot write the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the server's queue is setup, the responses can consume excess memory, CPU, or both, potentially leading to a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2019-09-24 18:45:45 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:3289 None None None 2019-10-31 17:01:16 UTC
Red Hat Product Errata RHBA-2019:3291 None None None 2019-10-31 17:05:11 UTC
Red Hat Product Errata RHSA-2019:2893 None None None 2019-09-24 13:53:23 UTC
Red Hat Product Errata RHSA-2019:2925 None None None 2019-09-30 07:22:16 UTC
Red Hat Product Errata RHSA-2019:2939 None None None 2019-09-30 23:39:30 UTC
Red Hat Product Errata RHSA-2019:2946 None None None 2019-10-01 10:32:43 UTC
Red Hat Product Errata RHSA-2019:2949 None None None 2019-10-01 11:52:35 UTC
Red Hat Product Errata RHSA-2019:2950 None None None 2019-10-01 11:46:17 UTC
Red Hat Product Errata RHSA-2019:2955 None None None 2019-10-02 14:27:16 UTC
Red Hat Product Errata RHSA-2019:3932 None None None 2019-11-20 16:22:01 UTC
Red Hat Product Errata RHSA-2019:3933 None None None 2019-11-20 16:14:12 UTC
Red Hat Product Errata RHSA-2019:3935 None None None 2019-11-20 16:09:01 UTC
Red Hat Product Errata RHSA-2020:0922 None None None 2020-03-23 08:23:09 UTC
Red Hat Product Errata RHSA-2020:0983 None None None 2020-03-26 15:48:40 UTC
Red Hat Product Errata RHSA-2020:1445 None None None 2020-04-14 13:05:31 UTC

Description Dhananjay Arunesh 2019-08-16 09:57:08 UTC
A vulnerability was found in http/2 where an attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.

Comment 1 Dhananjay Arunesh 2019-08-16 09:57:22 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1741869]

Comment 3 Dhananjay Arunesh 2019-08-16 14:01:41 UTC
Created mod_http2 tracking bugs for this issue:

Affects: fedora-all [bug 1741948]


Created nghttp2 tracking bugs for this issue:

Affects: fedora-all [bug 1741947]

Comment 4 Dhananjay Arunesh 2019-08-16 14:02:49 UTC
Created nghttp2 tracking bugs for this issue:

Affects: epel-all [bug 1741950]

Comment 6 msiddiqu 2019-08-16 14:22:26 UTC
Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1741974]

Comment 7 msiddiqu 2019-08-16 14:55:04 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1742093]

Comment 9 msiddiqu 2019-08-16 18:55:17 UTC
Created nginx tracking bugs for this issue:

Affects: epel-all [bug 1742412]
Affects: fedora-all [bug 1742411]

Comment 35 Marco Benatto 2019-09-03 21:24:58 UTC
Mitigation:

The httpd version shipped with Red Hat Enterprise Linux 8 provides HTTP/2 support through mod_http2 package. While mod_http2 package is not updated, users can disable HTTP/2 support as mitigation action by executing the following steps:

1. Stop httpd service:
$ systemctl stop httpd

2. Remove http/2 protocol support from configuration files:
$ sed -i 's/\(h2\)\|\(h2c\)//g' <httpd_config_file>

3. Validate configuration files to make sure all syntax is valid:
$ apachectl configtest

4. Restart httpd service:
$ systemctl start httpd

Comment 36 Marco Benatto 2019-09-03 21:39:46 UTC
Created undertow tracking bugs for this issue:

Affects: fedora-all [bug 1748608]

Comment 37 Sam Fowler 2019-09-04 07:07:38 UTC
Statement:

The package httpd versions as shipped with Red Hat Enterprise Linux 5, 6 and 7 are not affected by this issue as HTTP/2 support is not provided.
This flaw has no available mitigation for nodejs package. It will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.

The nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.

Comment 42 errata-xmlrpc 2019-09-24 13:53:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2893 https://access.redhat.com/errata/RHSA-2019:2893

Comment 43 Product Security DevOps Team 2019-09-24 18:45:45 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9517

Comment 47 errata-xmlrpc 2019-09-30 07:22:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2925 https://access.redhat.com/errata/RHSA-2019:2925

Comment 48 errata-xmlrpc 2019-09-30 23:39:26 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2939 https://access.redhat.com/errata/RHSA-2019:2939

Comment 49 errata-xmlrpc 2019-10-01 10:32:39 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services on RHEL 6

Via RHSA-2019:2946 https://access.redhat.com/errata/RHSA-2019:2946

Comment 50 errata-xmlrpc 2019-10-01 11:46:13 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2019:2950 https://access.redhat.com/errata/RHSA-2019:2950

Comment 51 errata-xmlrpc 2019-10-01 11:52:31 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2949 https://access.redhat.com/errata/RHSA-2019:2949

Comment 53 errata-xmlrpc 2019-10-02 14:27:11 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2955 https://access.redhat.com/errata/RHSA-2019:2955

Comment 59 errata-xmlrpc 2019-11-20 16:08:57 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2019:3935 https://access.redhat.com/errata/RHSA-2019:3935

Comment 60 errata-xmlrpc 2019-11-20 16:14:07 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2019:3933 https://access.redhat.com/errata/RHSA-2019:3933

Comment 61 errata-xmlrpc 2019-11-20 16:21:57 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2019:3932 https://access.redhat.com/errata/RHSA-2019:3932

Comment 66 errata-xmlrpc 2020-03-23 08:22:55 UTC
This issue has been addressed in the following products:

  Red Hat AMQ

Via RHSA-2020:0922 https://access.redhat.com/errata/RHSA-2020:0922

Comment 68 errata-xmlrpc 2020-03-26 15:48:35 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.6.0

Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983

Comment 69 errata-xmlrpc 2020-04-14 13:05:25 UTC
This issue has been addressed in the following products:

  Red Hat AMQ 7.4.3

Via RHSA-2020:1445 https://access.redhat.com/errata/RHSA-2020:1445


Note You need to log in before you can comment on or make changes to this bug.