HTTP/2 flood using SETTINGS frames and queueing of SETTINGS ACK frames that results in unbounded memory growth.
Name: the Envoy security team
Created nginx tracking bugs for this issue:
Affects: epel-all [bug 1742333]
Affects: fedora-all [bug 1742332]
NodeJS upstream commits:
Created undertow tracking bugs for this issue:
Affects: fedora-all [bug 1748604]
This issue affects the version of grafana(embeds gRPC) as shipped with Red Hat Ceph Storage 3 as it include the support for HTTP/2.
This flaw has no available mitigation for nodejs package. It will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.
The nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.
tracker for fedora-all nginx closed
This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 4.1
Via RHSA-2019:2766 https://access.redhat.com/errata/RHSA-2019:2766
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):