Bug 1741860 (CVE-2019-9511) - CVE-2019-9511 HTTP/2: large amount of data requests leads to denial of service
Summary: CVE-2019-9511 HTTP/2: large amount of data requests leads to denial of service
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-9511
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1741947 1741948 1741950 1741981 1741982 1742375 1742376 1744802 1744804 1744806 1744807 1744808 1744809 1744810 1744811 1744813 1744814 1744815 1744816 1744817 1744818 1744819 1744821 1744823 1744824 1744825 1744831 1744997 1744999 1745694 1745695 1745696 1745697 1746421 1748606 1752524 1752545
Blocks: 1735750
TreeView+ depends on / blocked
 
Reported: 2019-08-16 09:39 UTC by Dhananjay Arunesh
Modified: 2023-03-24 15:15 UTC (History)
128 users (show)

Fixed In Version: Nodejs 8.16.1, Nodejs 10.16.3, Nodejs 12.8.1, nginx 1.16.1, nginx 1.17.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in HTTP/2. An attacker can request a large amount of data by manipulating window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this queue can consume excess CPU, memory, or both, leading to a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2019-09-10 00:45:40 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2772 0 None None None 2019-09-16 12:24:46 UTC
Red Hat Product Errata RHBA-2019:2788 0 None None None 2019-09-17 03:00:54 UTC
Red Hat Product Errata RHBA-2019:2907 0 None None None 2019-09-26 08:11:56 UTC
Red Hat Product Errata RHBA-2019:2948 0 None None None 2019-10-01 16:54:03 UTC
Red Hat Product Errata RHBA-2019:2951 0 None None None 2019-10-01 17:03:30 UTC
Red Hat Product Errata RHBA-2019:3289 0 None None None 2019-10-31 17:01:10 UTC
Red Hat Product Errata RHBA-2019:3291 0 None None None 2019-10-31 17:05:06 UTC
Red Hat Product Errata RHSA-2019:2692 0 None None None 2019-09-09 20:10:08 UTC
Red Hat Product Errata RHSA-2019:2745 0 None None None 2019-09-12 11:56:15 UTC
Red Hat Product Errata RHSA-2019:2746 0 None None None 2019-09-12 12:02:27 UTC
Red Hat Product Errata RHSA-2019:2775 0 None None None 2019-09-17 14:57:56 UTC
Red Hat Product Errata RHSA-2019:2799 0 None None None 2019-09-19 07:32:25 UTC
Red Hat Product Errata RHSA-2019:2925 0 None None None 2019-09-30 07:22:10 UTC
Red Hat Product Errata RHSA-2019:2939 0 None None None 2019-09-30 23:39:24 UTC
Red Hat Product Errata RHSA-2019:2949 0 None None None 2019-10-01 11:52:29 UTC
Red Hat Product Errata RHSA-2019:2955 0 None None None 2019-10-02 14:27:06 UTC
Red Hat Product Errata RHSA-2019:2966 0 None None None 2019-10-03 18:57:50 UTC
Red Hat Product Errata RHSA-2019:3041 0 None None None 2019-10-14 16:54:10 UTC
Red Hat Product Errata RHSA-2019:3932 0 None None None 2019-11-20 16:21:44 UTC
Red Hat Product Errata RHSA-2019:3933 0 None None None 2019-11-20 16:13:57 UTC
Red Hat Product Errata RHSA-2019:3935 0 None None None 2019-11-20 16:08:51 UTC
Red Hat Product Errata RHSA-2019:4018 0 None None None 2019-11-26 19:55:53 UTC
Red Hat Product Errata RHSA-2019:4019 0 None None None 2019-11-26 20:00:12 UTC
Red Hat Product Errata RHSA-2019:4020 0 None None None 2019-11-26 19:57:27 UTC
Red Hat Product Errata RHSA-2019:4021 0 None None None 2019-11-26 19:59:03 UTC
Red Hat Product Errata RHSA-2020:0922 0 None None None 2020-03-23 08:22:42 UTC
Red Hat Product Errata RHSA-2020:1445 0 None None None 2020-04-14 13:05:20 UTC
Red Hat Product Errata RHSA-2020:2067 0 None None None 2020-05-18 10:26:04 UTC
Red Hat Product Errata RHSA-2020:2565 0 None None None 2020-06-15 16:18:37 UTC
Red Hat Product Errata RHSA-2020:3192 0 None None None 2020-07-28 15:54:42 UTC

Description Dhananjay Arunesh 2019-08-16 09:39:58 UTC
A vulnerability was found in http/2 where an attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

Comment 1 Dhananjay Arunesh 2019-08-16 09:40:12 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1741861]

Comment 3 Dhananjay Arunesh 2019-08-16 14:01:16 UTC
Created mod_http2 tracking bugs for this issue:

Affects: fedora-all [bug 1741948]


Created nghttp2 tracking bugs for this issue:

Affects: fedora-all [bug 1741947]

Comment 4 Dhananjay Arunesh 2019-08-16 14:02:25 UTC
Created nghttp2 tracking bugs for this issue:

Affects: epel-all [bug 1741950]

Comment 6 msiddiqu 2019-08-16 14:26:23 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1741982]
Affects: fedora-all [bug 1741981]

Comment 8 msiddiqu 2019-08-16 18:41:44 UTC
Created nginx tracking bugs for this issue:

Affects: epel-all [bug 1742376]
Affects: fedora-all [bug 1742375]

Comment 10 Marco Benatto 2019-08-22 21:49:14 UTC
Created nghttp2 tracking bugs for this issue:

Affects: epel-all [bug 1744803]
Affects: fedora-all [bug 1744802]

Comment 12 Marco Benatto 2019-08-22 21:53:39 UTC
NodeJS upstream commits for this issue:
https://github.com/nodejs/node/commit/c152449012
https://github.com/nodejs/node/commit/0ce699c7b1

Comment 13 Marco Benatto 2019-08-22 21:56:00 UTC
nghttp2 upstream commit for this issue:

https://github.com/nghttp2/nghttp2/commit/95efb3e19d174354ca50c65d5d7227d92bcd60e1

Comment 19 Marco Benatto 2019-08-23 13:10:10 UTC
NGINX upstream commit:
http://hg.nginx.org/nginx/rev/99b6733876c4

Comment 43 Marco Benatto 2019-09-03 21:38:35 UTC
Created undertow tracking bugs for this issue:

Affects: fedora-all [bug 1748606]

Comment 49 errata-xmlrpc 2019-09-09 20:10:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2692 https://access.redhat.com/errata/RHSA-2019:2692

Comment 50 Product Security DevOps Team 2019-09-10 00:45:40 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9511

Comment 52 errata-xmlrpc 2019-09-12 11:56:11 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2019:2745 https://access.redhat.com/errata/RHSA-2019:2745

Comment 53 errata-xmlrpc 2019-09-12 12:02:23 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2746 https://access.redhat.com/errata/RHSA-2019:2746

Comment 54 errata-xmlrpc 2019-09-17 14:57:51 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2775 https://access.redhat.com/errata/RHSA-2019:2775

Comment 55 errata-xmlrpc 2019-09-19 07:32:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2799 https://access.redhat.com/errata/RHSA-2019:2799

Comment 57 Marco Benatto 2019-09-19 21:10:10 UTC
Mitigation:

Red Hat Quay 3.0 uses Nginx 1.12 from Red Hat Software Collections. It will be updated once a fixed is released for Software Collections. In the meantime users of Quay can disable http/2 support in Nginx by following these instructions:

1. Copy the Nginx configuration from the quay container to the host
$ docker cp 3aadf1421ba3:/quay-registry/conf/nginx/ /mnt/quay/nginx

2. Edit the Nginx configuration, removing http/2 support
$ sed -i 's/http2 //g' /mnt/quay/nginx/nginx.conf

3. Restart Nginx with the new configuration mounted into the container, eg:
$ docker run --restart=always -p 443:8443 -p 80:8080 --sysctl net.core.somaxconn=4096 -v /mnt/quay/config:/conf/stack:Z -v /mnt/quay/storage:/datastorage -v /mnt/quay/nginx:/quay-registry/config/nginx:Z -d quay.io/redhat/quay:v3.0.3

Comment 67 Lin Gao 2019-09-24 05:54:08 UTC
@chazlett, May I know why creating undertow tracking bugs since it is not affected(according to your previous comment #c65)?

Comment 72 errata-xmlrpc 2019-09-30 07:22:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2925 https://access.redhat.com/errata/RHSA-2019:2925

Comment 73 errata-xmlrpc 2019-09-30 23:39:20 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2939 https://access.redhat.com/errata/RHSA-2019:2939

Comment 74 errata-xmlrpc 2019-10-01 11:52:25 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2949 https://access.redhat.com/errata/RHSA-2019:2949

Comment 75 errata-xmlrpc 2019-10-02 14:27:01 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2955 https://access.redhat.com/errata/RHSA-2019:2955

Comment 76 errata-xmlrpc 2019-10-03 18:57:46 UTC
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2019:2966 https://access.redhat.com/errata/RHSA-2019:2966

Comment 78 errata-xmlrpc 2019-10-14 16:54:05 UTC
This issue has been addressed in the following products:

  Openshift Service Mesh 1.0
  OpenShift Service Mesh 1.0

Via RHSA-2019:3041 https://access.redhat.com/errata/RHSA-2019:3041

Comment 84 Paramvir jindal 2019-11-19 10:46:19 UTC
As per the pull request sent for JBoss EAP for this issue, undertow version 2.0.24 should include the fix and RHSSO 7.3.4 (latest GA version available) ships undertow-core-2.0.25.SP1-redhat-00001.jar so it should already includes the fix so I am marking RHSSO as not affected.

Comment 85 errata-xmlrpc 2019-11-20 16:08:42 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2019:3935 https://access.redhat.com/errata/RHSA-2019:3935

Comment 86 errata-xmlrpc 2019-11-20 16:13:48 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2019:3933 https://access.redhat.com/errata/RHSA-2019:3933

Comment 87 errata-xmlrpc 2019-11-20 16:21:39 UTC
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2019:3932 https://access.redhat.com/errata/RHSA-2019:3932

Comment 93 errata-xmlrpc 2019-11-26 19:55:49 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2019:4018 https://access.redhat.com/errata/RHSA-2019:4018

Comment 94 errata-xmlrpc 2019-11-26 19:57:23 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2019:4020 https://access.redhat.com/errata/RHSA-2019:4020

Comment 95 errata-xmlrpc 2019-11-26 19:59:00 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2019:4021 https://access.redhat.com/errata/RHSA-2019:4021

Comment 96 errata-xmlrpc 2019-11-26 20:00:08 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2019:4019 https://access.redhat.com/errata/RHSA-2019:4019

Comment 109 errata-xmlrpc 2020-03-23 08:22:31 UTC
This issue has been addressed in the following products:

  Red Hat AMQ

Via RHSA-2020:0922 https://access.redhat.com/errata/RHSA-2020:0922

Comment 115 errata-xmlrpc 2020-04-14 13:05:14 UTC
This issue has been addressed in the following products:

  Red Hat AMQ 7.4.3

Via RHSA-2020:1445 https://access.redhat.com/errata/RHSA-2020:1445

Comment 116 Eric Christensen 2020-05-04 13:04:35 UTC
Statement:

There are no mitigations available for nghttp2 and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.

The nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.

Comment 117 errata-xmlrpc 2020-05-18 10:25:54 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067

Comment 118 errata-xmlrpc 2020-06-15 16:18:32 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2565 https://access.redhat.com/errata/RHSA-2020:2565

Comment 119 errata-xmlrpc 2020-07-28 15:54:37 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.7.0

Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192


Note You need to log in before you can comment on or make changes to this bug.