HTTP/2 flood using PING frames and queueing of response PING ACK frames that results in unbounded memory growth.
Acknowledgments: Name: the Envoy security team
https://istio.io/blog/2019/announcing-1.2.4/
Issue in golang: https://github.com/golang/go/issues/33606
Created golang tracking bugs for this issue: Affects: epel-all [bug 1741815] Affects: fedora-all [bug 1741816]
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 1741989] Affects: fedora-all [bug 1741988]
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 1741997] Affects: fedora-all [bug 1741996]
Created nginx tracking bugs for this issue: Affects: epel-all [bug 1742247] Affects: fedora-all [bug 1742245]
NodeJS upstream commit: https://github.com/nodejs/node/commit/fd148d38d259fee8507cdb5c57dda82e1d1a4819
Created kubernetes tracking bugs for this issue: Affects: fedora-all [bug 1745594]
golang has a bundled HTTP/2 implementation. Upstream commit containing the fix backport: https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2
All golang upstream patches: net/http/ https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2 [1.11] https://github.com/golang/go/commit/7139b45d1410ded14e1e131151fd8dfc435ede6c [1.12] x/net/http2 https://github.com/golang/net/commit/b1cc14aba47abf96f96818003fa4caad3a4b4e86 [1.11] https://github.com/golang/net/commit/cdfb69ac37fc6fa907650654115ebebb3aae2087 [1.12]
External References: https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html
Created undertow tracking bugs for this issue: Affects: fedora-all [bug 1748583]
This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2019:2682 https://access.redhat.com/errata/RHSA-2019:2682
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2726 https://access.redhat.com/errata/RHSA-2019:2726
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:2594 https://access.redhat.com/errata/RHSA-2019:2594
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-9512
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:2661 https://access.redhat.com/errata/RHSA-2019:2661
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.10 Via RHSA-2019:2690 https://access.redhat.com/errata/RHSA-2019:2690
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:2766 https://access.redhat.com/errata/RHSA-2019:2766
This issue has been addressed in the following products: Red Hat OpenStack Platform 14.0 (Rocky) Via RHSA-2019:2796 https://access.redhat.com/errata/RHSA-2019:2796
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:2861 https://access.redhat.com/errata/RHSA-2019:2861
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2925 https://access.redhat.com/errata/RHSA-2019:2925
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:2939 https://access.redhat.com/errata/RHSA-2019:2939
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2019:2955 https://access.redhat.com/errata/RHSA-2019:2955
This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2019:2966 https://access.redhat.com/errata/RHSA-2019:2966
Statement: The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019. This issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2. The following storage product versions are affected because they include the support for HTTP/2 in: * golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3 * heketi(embeds golang) as shipped with Red Hat Gluster Storage 3 * grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3 This flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections. The nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code. All OpenShift Container Platform RPMs and container images that are built with Go and support HTTP/2 are vulnerable to this flaw.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:3131 https://access.redhat.com/errata/RHSA-2019:3131
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.9 Via RHSA-2019:2769 https://access.redhat.com/errata/RHSA-2019:2769
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2019:3245 https://access.redhat.com/errata/RHSA-2019:3245
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:3265 https://access.redhat.com/errata/RHSA-2019:3265
This issue has been addressed in the following products: Red Hat Fuse 7.5.0 Via RHSA-2019:3892 https://access.redhat.com/errata/RHSA-2019:3892
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2019:3906 https://access.redhat.com/errata/RHSA-2019:3906
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2019:4018 https://access.redhat.com/errata/RHSA-2019:4018
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2019:4020 https://access.redhat.com/errata/RHSA-2019:4020
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2019:4021 https://access.redhat.com/errata/RHSA-2019:4021
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2019:4019 https://access.redhat.com/errata/RHSA-2019:4019
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 7 Via RHSA-2019:4041 https://access.redhat.com/errata/RHSA-2019:4041
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 6 Via RHSA-2019:4040 https://access.redhat.com/errata/RHSA-2019:4040
This issue has been addressed in the following products: Red Hat Single Sign-On 7.3 for RHEL 8 Via RHSA-2019:4042 https://access.redhat.com/errata/RHSA-2019:4042
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2019:4045 https://access.redhat.com/errata/RHSA-2019:4045
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:4269 https://access.redhat.com/errata/RHSA-2019:4269
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:4273 https://access.redhat.com/errata/RHSA-2019:4273
This issue has been addressed in the following products: Red Hat Fuse 6.3 Via RHSA-2019:4352 https://access.redhat.com/errata/RHSA-2019:4352
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2020:0406 https://access.redhat.com/errata/RHSA-2020:0406
This issue has been addressed in the following products: Red Hat Data Grid 7.3.3 Via RHSA-2020:0727 https://access.redhat.com/errata/RHSA-2020:0727
This issue has been addressed in the following products: Red Hat AMQ Via RHSA-2020:0922 https://access.redhat.com/errata/RHSA-2020:0922
This issue has been addressed in the following products: Red Hat Fuse 7.6.0 Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983
This issue has been addressed in the following products: Red Hat AMQ 7.4.3 Via RHSA-2020:1445 https://access.redhat.com/errata/RHSA-2020:1445
This issue has been addressed in the following products: Red Hat Openshift Application Runtimes Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:2565 https://access.redhat.com/errata/RHSA-2020:2565
This issue has been addressed in the following products: Red Hat Decision Manager Via RHSA-2020:3196 https://access.redhat.com/errata/RHSA-2020:3196
This issue has been addressed in the following products: Red Hat Process Automation Via RHSA-2020:3197 https://access.redhat.com/errata/RHSA-2020:3197