Bug 1735741 (CVE-2019-9513) - CVE-2019-9513 HTTP/2: flood using PRIORITY frames results in excessive resource consumption
Summary: CVE-2019-9513 HTTP/2: flood using PRIORITY frames results in excessive resour...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-9513
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1741971 1742296 1744328 1744331 1744594 1745689 1745692 1746420 1748602 1741965 1741967 1742011 1742294 1744325 1744326 1744327 1744330 1744332 1744333 1744574 1744576 1744591 1744592 1744593 1744595 1744598 1744832 1745690 1745691 1752527 1752542
Blocks: 1735750
TreeView+ depends on / blocked
 
Reported: 2019-08-01 11:34 UTC by Marian Rehak
Modified: 2019-11-06 19:08 UTC (History)
119 users (show)

Fixed In Version: envoy 1.11.1, Nodejs 8.16.1, Nodejs 10.16.3, Nodejs 12.8.1, nginx 1.16.1, nginx 1.17.3, nghttp2 1.39.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-10 00:45:33 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2772 None None None 2019-09-16 12:24:43 UTC
Red Hat Product Errata RHBA-2019:2788 None None None 2019-09-17 03:00:54 UTC
Red Hat Product Errata RHBA-2019:2907 None None None 2019-09-26 08:11:56 UTC
Red Hat Product Errata RHBA-2019:2948 None None None 2019-10-01 16:54:02 UTC
Red Hat Product Errata RHBA-2019:2951 None None None 2019-10-01 17:03:30 UTC
Red Hat Product Errata RHBA-2019:3289 None None None 2019-10-31 17:00:56 UTC
Red Hat Product Errata RHBA-2019:3291 None None None 2019-10-31 17:04:56 UTC
Red Hat Product Errata RHSA-2019:2692 None None None 2019-09-09 20:10:04 UTC
Red Hat Product Errata RHSA-2019:2745 None None None 2019-09-12 11:56:14 UTC
Red Hat Product Errata RHSA-2019:2746 None None None 2019-09-12 12:02:26 UTC
Red Hat Product Errata RHSA-2019:2775 None None None 2019-09-17 14:57:53 UTC
Red Hat Product Errata RHSA-2019:2799 None None None 2019-09-19 07:32:26 UTC
Red Hat Product Errata RHSA-2019:2925 None None None 2019-09-30 07:21:57 UTC
Red Hat Product Errata RHSA-2019:2939 None None None 2019-09-30 23:39:11 UTC
Red Hat Product Errata RHSA-2019:2949 None None None 2019-10-01 11:52:26 UTC
Red Hat Product Errata RHSA-2019:2955 None None None 2019-10-02 14:26:51 UTC
Red Hat Product Errata RHSA-2019:2966 None None None 2019-10-03 18:57:40 UTC
Red Hat Product Errata RHSA-2019:3041 None None None 2019-10-14 16:54:09 UTC

Description Marian Rehak 2019-08-01 11:34:46 UTC
HTTP/2 flood using PRIORITY frames that results in excessive CPU usage and starvation of other clients.

Comment 1 Marian Rehak 2019-08-09 07:27:41 UTC
Acknowledgments:

Name: the Envoy security team

Comment 3 Timothy Walsh 2019-08-15 06:29:39 UTC
https://istio.io/blog/2019/announcing-1.2.4/

Comment 6 msiddiqu 2019-08-16 14:21:42 UTC
Created nghttp2 tracking bugs for this issue:

Affects: epel-all [bug 1741965]


Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1741971]
Affects: fedora-all [bug 1741967]

Comment 7 msiddiqu 2019-08-16 14:39:51 UTC
Created nghttp2 tracking bugs for this issue:

Affects: fedora-all [bug 1742011]

Comment 9 msiddiqu 2019-08-16 18:22:06 UTC
Created nginx tracking bugs for this issue:

Affects: epel-all [bug 1742296]
Affects: fedora-all [bug 1742294]

Comment 11 Marco Benatto 2019-08-21 20:45:20 UTC
Upstream commit for NGINX: http://hg.nginx.org/nginx/rev/45415228990b

Comment 15 Jason Shepherd 2019-08-22 05:51:42 UTC
Mitigation:

Red Hat Quay 3.0 uses Nginx 1.12 from Red Hat Software Collections. It will be updated once a fixed is released for Software Collections. In the meantime users of Quay can disable http/2 support in Nginx by following these instructions:

1. Copy the Nginx configuration from the quay container to the host
$ docker cp 3aadf1421ba3:/quay-registry/conf/nginx/ /mnt/quay/nginx

2. Edit the Nginx configuration, removing http/2 support
$ sed -i 's/http2 //g' /mnt/quay/nginx/nginx.conf

3. Restart Nginx with the new configuration mounted into the container, eg:
$ docker run --restart=always -p 443:8443 -p 80:8080 --sysctl net.core.somaxconn=4096 -v /mnt/quay/config:/conf/stack:Z -v /mnt/quay/storage:/datastorage -v /mnt/quay/nginx:/quay-registry/config/nginx:Z -d quay.io/redhat/quay:v3.0.3

Comment 18 Kamil Dudka 2019-08-22 13:19:51 UTC
(In reply to Marco Benatto from comment #16)
> Upstream commits for nghttp2 seems to be:

That is exactly what I backported for epel-7:

https://src.fedoraproject.org/rpms/nghttp2/blob/epel7/f/nghttp2-1.31.1-CVE-2019-9511-and-CVE-2019-9513.patch

I thought it fixes also CVE-2019-9511, doesn't it?

Comment 19 Marco Benatto 2019-08-22 13:24:49 UTC
In reply to comment #18:
> (In reply to Marco Benatto from comment #16)
> > Upstream commits for nghttp2 seems to be:
> 
> That is exactly what I backported for epel-7:
> 
> https://src.fedoraproject.org/rpms/nghttp2/blob/epel7/f/nghttp2-1.31.1-CVE-
> 2019-9511-and-CVE-2019-9513.patch
> 
> I thought it fixes also CVE-2019-9511, doesn't it?

It seems to be.
The git changelog doesn't provide specific information about what commit fix which CVE, but give the flaws descriptions and the commit context they seems
to be the right one.
I'm double checking with upstream maintainers and will update this bug in case we get something different.

Comment 20 Kamil Dudka 2019-08-22 13:41:52 UTC
Thank you for clarifying it!

Comment 23 Marco Benatto 2019-08-22 14:39:32 UTC
In reply to comment #20:
> Thank you for clarifying it!

I've heard back from upstream, according Tatsushiro the commit which fixes both CVE-2019-9513 and CVE-2019-9511 is:

https://github.com/nghttp2/nghttp2/commit/95efb3e19d174354ca50c65d5d7227d92bcd60e1

His reply:
"Tatsuhiro Tsujikawa
	
10:05 AM (1 hour ago)
	
to me
Hi,

On Thu, Aug 22, 2019 at 9:59 PM Marco Benatto <mbenatto@redhat.com> wrote:

    Hello Tatsuhiro,

    I'm Marco Benatto, I'm a Sr. Product Security Engineer at Red Hat and
    I'm working over the analysis for the CVEs mentioned on the subject
    and its fixes for nghttp2.

    Sorry to bother you but may I have your help to confirm/identify which
    commits fixes those CVES? Should it be:

    https://github.com/nghttp2/nghttp2/commit/95efb3e19d174354ca50c65d5d7227d92bcd60e1
    https://github.com/nghttp2/nghttp2/commit/0a6ce87c22c69438ecbffe52a2859c3a32f1620f
    https://github.com/nghttp2/nghttp2/commit/319d5ab1c6d916b6b8a0d85b2ae3f01b3ad04f2c


https://github.com/nghttp2/nghttp2/commit/95efb3e19d174354ca50c65d5d7227d92bcd60e1

fixes the CVE.

Best regards,
Tatsuhiro Tsujikawa"

Comment 36 Marco Benatto 2019-09-03 21:34:40 UTC
Created undertow tracking bugs for this issue:

Affects: fedora-all [bug 1748602]

Comment 37 Sam Fowler 2019-09-04 07:06:35 UTC
Statement:

This flaw has no available mitigation for packages nghttp2 and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.

The nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.

Comment 41 errata-xmlrpc 2019-09-09 20:10:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2692 https://access.redhat.com/errata/RHSA-2019:2692

Comment 42 Product Security DevOps Team 2019-09-10 00:45:33 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9513

Comment 43 errata-xmlrpc 2019-09-12 11:56:10 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2019:2745 https://access.redhat.com/errata/RHSA-2019:2745

Comment 44 errata-xmlrpc 2019-09-12 12:02:23 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2746 https://access.redhat.com/errata/RHSA-2019:2746

Comment 45 errata-xmlrpc 2019-09-17 14:57:48 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2775 https://access.redhat.com/errata/RHSA-2019:2775

Comment 46 errata-xmlrpc 2019-09-19 07:32:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2799 https://access.redhat.com/errata/RHSA-2019:2799

Comment 58 errata-xmlrpc 2019-09-30 07:21:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2925 https://access.redhat.com/errata/RHSA-2019:2925

Comment 59 errata-xmlrpc 2019-09-30 23:39:07 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2939 https://access.redhat.com/errata/RHSA-2019:2939

Comment 60 errata-xmlrpc 2019-10-01 11:52:22 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2949 https://access.redhat.com/errata/RHSA-2019:2949

Comment 61 errata-xmlrpc 2019-10-02 14:26:47 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2955 https://access.redhat.com/errata/RHSA-2019:2955

Comment 62 errata-xmlrpc 2019-10-03 18:57:36 UTC
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2019:2966 https://access.redhat.com/errata/RHSA-2019:2966

Comment 63 errata-xmlrpc 2019-10-14 16:54:05 UTC
This issue has been addressed in the following products:

  Openshift Service Mesh 1.0
  OpenShift Service Mesh 1.0

Via RHSA-2019:3041 https://access.redhat.com/errata/RHSA-2019:3041


Note You need to log in before you can comment on or make changes to this bug.