Bug 1735744 (CVE-2019-9514) - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth
Summary: CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-9514
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190813:1700...
Depends On: 1766332 1741826 1741827 1742039 1742041 1742308 1742310 1743204 1743205 1743470 1743472 1743473 1743906 1744729 1744731 1744732 1744733 1744734 1744735 1745595 1745703 1745704 1745705 1745706 1746493 1746494 1746495 1746496 1746498 1746638 1746640 1746645 1746646 1746650 1746652 1746653 1746654 1746659 1746661 1746664 1748603 1748717 1748718 1749141 1749427 1751879 1751880 1752474 1753278 1753452 1761818 1761819 1761820 1761821 1761822 1761823 1761824 1761825 1761826 1761827 1761828 1761829 1761830 1761832 1761873 1762051 1762052 1762053 1762054 1762055 1762056 1762057 1762058 1762059 1762060 1762061 1762062 1762063 1762064 1762065 1762066 1762067 1762068 1762069 1762070 1762071 1762072 1762073 1762074 1762075 1762076 1762077 1762078 1762079 1762080 1762082 1762088 1762089 1762090 1762091 1762092 1762093 1762094 1762095 1762096 1762097 1762098 1762099 1762100 1762101 1762102 1762103 1762104 1762105 1762106 1762107 1762108 1762109 1762110 1762111 1762112 1762113 1762114 1762115 1762116 1762117 1762118 1762121 1762122 1762123 1764859 1766308 1766309 1766310 1766311 1766312 1766313 1766314 1766315 1766316 1766317 1766318 1766319 1766320 1766321 1766322 1766323 1766324 1766325 1766326 1766327 1766328 1766329 1766330 1766331 1766333 1766334 1772134 1772135 1772136 1772137 1789849 1789850 1790646 1790647
Blocks: 1735750
TreeView+ depends on / blocked
 
Reported: 2019-08-01 11:43 UTC by Marian Rehak
Modified: 2023-03-24 15:09 UTC (History)
184 users (show)

Fixed In Version: envoy 1.11.1, golang 1.11.13, golang 1.12.8, Nodejs 8.16.1, Nodejs 10.16.3, Nodejs 12.8.1, gRPC-Go 1.21.3, gRPC-Go 1.22.2, gRPC-Go 1.23.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in HTTP/2. Using HEADER frames with invalid HTTP headers and queuing of response RST_STREAM frames, an attacker could cause a flood resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2019-09-10 18:45:40 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2886 0 None None None 2019-09-23 20:05:05 UTC
Red Hat Product Errata RHBA-2019:3213 0 None None None 2019-10-29 10:14:25 UTC
Red Hat Product Errata RHBA-2019:3289 0 None None None 2019-10-31 17:01:01 UTC
Red Hat Product Errata RHBA-2019:3291 0 None None None 2019-10-31 17:04:58 UTC
Red Hat Product Errata RHSA-2019:2594 0 None None None 2019-09-10 15:59:32 UTC
Red Hat Product Errata RHSA-2019:2661 0 None None None 2019-09-11 05:45:00 UTC
Red Hat Product Errata RHSA-2019:2682 0 None None None 2019-09-09 09:48:11 UTC
Red Hat Product Errata RHSA-2019:2690 0 None None None 2019-09-11 15:28:44 UTC
Red Hat Product Errata RHSA-2019:2726 0 None None None 2019-09-10 13:49:37 UTC
Red Hat Product Errata RHSA-2019:2766 0 None None None 2019-09-12 18:33:08 UTC
Red Hat Product Errata RHSA-2019:2769 0 None None None 2019-10-24 03:07:52 UTC
Red Hat Product Errata RHSA-2019:2796 0 None None None 2019-09-19 02:28:35 UTC
Red Hat Product Errata RHSA-2019:2861 0 None None None 2019-09-26 17:21:41 UTC
Red Hat Product Errata RHSA-2019:2925 0 None None None 2019-09-30 07:22:00 UTC
Red Hat Product Errata RHSA-2019:2939 0 None None None 2019-09-30 23:39:14 UTC
Red Hat Product Errata RHSA-2019:2955 0 None None None 2019-10-02 14:26:54 UTC
Red Hat Product Errata RHSA-2019:2966 0 None None None 2019-10-03 18:57:41 UTC
Red Hat Product Errata RHSA-2019:3131 0 None None None 2019-10-16 15:35:34 UTC
Red Hat Product Errata RHSA-2019:3245 0 None None None 2019-10-29 17:41:52 UTC
Red Hat Product Errata RHSA-2019:3265 0 None None None 2019-10-30 18:19:00 UTC
Red Hat Product Errata RHSA-2019:3892 0 None None None 2019-11-14 21:18:39 UTC
Red Hat Product Errata RHSA-2019:3906 0 None None None 2019-11-18 16:24:52 UTC
Red Hat Product Errata RHSA-2019:4018 0 None None None 2019-11-26 19:55:44 UTC
Red Hat Product Errata RHSA-2019:4019 0 None None None 2019-11-26 20:00:04 UTC
Red Hat Product Errata RHSA-2019:4020 0 None None None 2019-11-26 19:57:20 UTC
Red Hat Product Errata RHSA-2019:4021 0 None None None 2019-11-26 19:58:57 UTC
Red Hat Product Errata RHSA-2019:4040 0 None None None 2019-12-02 17:03:36 UTC
Red Hat Product Errata RHSA-2019:4041 0 None None None 2019-12-02 17:03:01 UTC
Red Hat Product Errata RHSA-2019:4042 0 None None None 2019-12-02 17:03:54 UTC
Red Hat Product Errata RHSA-2019:4045 0 None None None 2019-12-02 17:21:27 UTC
Red Hat Product Errata RHSA-2019:4269 0 None None None 2019-12-17 10:47:29 UTC
Red Hat Product Errata RHSA-2019:4273 0 None None None 2019-12-17 10:48:24 UTC
Red Hat Product Errata RHSA-2019:4352 0 None None None 2019-12-19 17:38:14 UTC
Red Hat Product Errata RHSA-2020:0406 0 None None None 2020-02-04 19:26:52 UTC
Red Hat Product Errata RHSA-2020:0727 0 None None None 2020-03-05 12:54:23 UTC
Red Hat Product Errata RHSA-2020:0922 0 None None None 2020-03-23 08:22:10 UTC
Red Hat Product Errata RHSA-2020:0983 0 None None None 2020-03-26 15:48:15 UTC
Red Hat Product Errata RHSA-2020:1445 0 None None None 2020-04-14 13:05:05 UTC
Red Hat Product Errata RHSA-2020:2067 0 None None None 2020-05-18 10:25:33 UTC
Red Hat Product Errata RHSA-2020:2565 0 None None None 2020-06-15 16:18:21 UTC
Red Hat Product Errata RHSA-2020:3196 0 None None None 2020-07-29 06:07:19 UTC
Red Hat Product Errata RHSA-2020:3197 0 None None None 2020-07-29 06:22:09 UTC

Description Marian Rehak 2019-08-01 11:43:33 UTC
HTTP/2 flood using HEADERS frames with invalid HTTP headers and queuing of response RST_STREAM frames that results in unbounded memory growth.

Comment 3 Marian Rehak 2019-08-09 07:27:58 UTC
Acknowledgments:

Name: the Envoy security team

Comment 5 Timothy Walsh 2019-08-15 06:30:19 UTC
https://istio.io/blog/2019/announcing-1.2.4/

Comment 6 Marian Rehak 2019-08-15 13:50:15 UTC
Golang issue:

https://github.com/golang/go/issues/33606

Comment 12 msiddiqu 2019-08-16 18:25:18 UTC
Created nginx tracking bugs for this issue:

Affects: epel-all [bug 1742310]
Affects: fedora-all [bug 1742308]

Comment 22 Marco Benatto 2019-08-22 18:44:28 UTC
NodeJS upstream commit related to this CVE:
https://github.com/nodejs/node/commit/477461a51f
https://github.com/nodejs/node/commit/05dada46ee

Comment 28 msiddiqu 2019-08-26 12:55:04 UTC
Created kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 1745595]

Comment 63 Marco Benatto 2019-09-03 21:36:00 UTC
Created undertow tracking bugs for this issue:

Affects: fedora-all [bug 1748603]

Comment 67 Marian Rehak 2019-09-05 10:26:23 UTC
tracker for fedora-all nginx closed

Comment 68 errata-xmlrpc 2019-09-09 09:48:06 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2019:2682 https://access.redhat.com/errata/RHSA-2019:2682

Comment 70 errata-xmlrpc 2019-09-10 13:49:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2726 https://access.redhat.com/errata/RHSA-2019:2726

Comment 71 errata-xmlrpc 2019-09-10 15:59:27 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2594 https://access.redhat.com/errata/RHSA-2019:2594

Comment 72 Product Security DevOps Team 2019-09-10 18:45:40 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9514

Comment 73 errata-xmlrpc 2019-09-11 05:44:55 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2661 https://access.redhat.com/errata/RHSA-2019:2661

Comment 74 errata-xmlrpc 2019-09-11 15:28:39 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.10

Via RHSA-2019:2690 https://access.redhat.com/errata/RHSA-2019:2690

Comment 76 errata-xmlrpc 2019-09-12 18:33:03 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2766 https://access.redhat.com/errata/RHSA-2019:2766

Comment 80 errata-xmlrpc 2019-09-19 02:28:28 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 14.0 (Rocky)

Via RHSA-2019:2796 https://access.redhat.com/errata/RHSA-2019:2796

Comment 85 errata-xmlrpc 2019-09-26 17:21:34 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2861 https://access.redhat.com/errata/RHSA-2019:2861

Comment 86 errata-xmlrpc 2019-09-30 07:21:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2925 https://access.redhat.com/errata/RHSA-2019:2925

Comment 87 errata-xmlrpc 2019-09-30 23:39:08 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2939 https://access.redhat.com/errata/RHSA-2019:2939

Comment 89 errata-xmlrpc 2019-10-02 14:26:49 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2955 https://access.redhat.com/errata/RHSA-2019:2955

Comment 90 errata-xmlrpc 2019-10-03 18:57:36 UTC
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2019:2966 https://access.redhat.com/errata/RHSA-2019:2966

Comment 91 Sam Fowler 2019-10-08 05:42:47 UTC
Statement:

The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019.
This issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2.
The following storage product versions are affected because they include the support for HTTP/2 in:
* golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3
* heketi(embeds golang) as shipped with Red Hat Gluster Storage 3
* grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3
This flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.

The nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.

All OpenShift Container Platform RPMs and container images that are built with Go and support HTTP/2 are vulnerable to this flaw.

Comment 98 errata-xmlrpc 2019-10-16 15:35:28 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:3131 https://access.redhat.com/errata/RHSA-2019:3131

Comment 100 errata-xmlrpc 2019-10-24 03:07:44 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.9

Via RHSA-2019:2769 https://access.redhat.com/errata/RHSA-2019:2769

Comment 103 errata-xmlrpc 2019-10-29 17:41:46 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2019:3245 https://access.redhat.com/errata/RHSA-2019:3245

Comment 104 errata-xmlrpc 2019-10-30 18:18:43 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:3265 https://access.redhat.com/errata/RHSA-2019:3265

Comment 110 errata-xmlrpc 2019-11-14 21:18:34 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.5.0

Via RHSA-2019:3892 https://access.redhat.com/errata/RHSA-2019:3892

Comment 111 errata-xmlrpc 2019-11-18 16:24:47 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2019:3906 https://access.redhat.com/errata/RHSA-2019:3906

Comment 112 Paramvir jindal 2019-11-19 10:24:43 UTC
RHSSO component undertow is not affected because undertow-core-2.0.25.SP1-redhat-00001.jar already include the fix and RHSSO component netty seems to be affected as fix version netty seems to be 4.1.39 as per [1] and RHSSO 7.3.4 ships netty-all-4.1.34.Final-redhat-00002.jar :

https://netty.io/news/2019/08/13/4-1-39-Final.html

Comment 116 errata-xmlrpc 2019-11-26 19:55:39 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2019:4018 https://access.redhat.com/errata/RHSA-2019:4018

Comment 117 errata-xmlrpc 2019-11-26 19:57:15 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2019:4020 https://access.redhat.com/errata/RHSA-2019:4020

Comment 118 errata-xmlrpc 2019-11-26 19:58:50 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2019:4021 https://access.redhat.com/errata/RHSA-2019:4021

Comment 119 errata-xmlrpc 2019-11-26 19:59:59 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2019:4019 https://access.redhat.com/errata/RHSA-2019:4019

Comment 120 errata-xmlrpc 2019-12-02 17:02:56 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 7

Via RHSA-2019:4041 https://access.redhat.com/errata/RHSA-2019:4041

Comment 121 errata-xmlrpc 2019-12-02 17:03:30 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 6

Via RHSA-2019:4040 https://access.redhat.com/errata/RHSA-2019:4040

Comment 122 errata-xmlrpc 2019-12-02 17:03:49 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3 for RHEL 8

Via RHSA-2019:4042 https://access.redhat.com/errata/RHSA-2019:4042

Comment 123 errata-xmlrpc 2019-12-02 17:21:22 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2019:4045 https://access.redhat.com/errata/RHSA-2019:4045

Comment 126 errata-xmlrpc 2019-12-17 10:47:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:4269 https://access.redhat.com/errata/RHSA-2019:4269

Comment 127 errata-xmlrpc 2019-12-17 10:48:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:4273 https://access.redhat.com/errata/RHSA-2019:4273

Comment 129 errata-xmlrpc 2019-12-19 17:38:08 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 6.3

Via RHSA-2019:4352 https://access.redhat.com/errata/RHSA-2019:4352

Comment 134 errata-xmlrpc 2020-02-04 19:26:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:0406 https://access.redhat.com/errata/RHSA-2020:0406

Comment 136 errata-xmlrpc 2020-03-05 12:54:11 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.3

Via RHSA-2020:0727 https://access.redhat.com/errata/RHSA-2020:0727

Comment 139 errata-xmlrpc 2020-03-23 08:21:51 UTC
This issue has been addressed in the following products:

  Red Hat AMQ

Via RHSA-2020:0922 https://access.redhat.com/errata/RHSA-2020:0922

Comment 142 errata-xmlrpc 2020-03-26 15:48:03 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.6.0

Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983

Comment 143 errata-xmlrpc 2020-04-14 13:04:58 UTC
This issue has been addressed in the following products:

  Red Hat AMQ 7.4.3

Via RHSA-2020:1445 https://access.redhat.com/errata/RHSA-2020:1445

Comment 146 errata-xmlrpc 2020-05-18 10:25:20 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067

Comment 147 errata-xmlrpc 2020-06-15 16:18:12 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2020:2565 https://access.redhat.com/errata/RHSA-2020:2565

Comment 148 errata-xmlrpc 2020-07-29 06:07:11 UTC
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2020:3196 https://access.redhat.com/errata/RHSA-2020:3196

Comment 149 errata-xmlrpc 2020-07-29 06:22:01 UTC
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2020:3197 https://access.redhat.com/errata/RHSA-2020:3197


Note You need to log in before you can comment on or make changes to this bug.