Bug 1741864 (CVE-2019-9516) - CVE-2019-9516 HTTP/2: 0-length headers lead to denial of service
Summary: CVE-2019-9516 HTTP/2: 0-length headers lead to denial of service
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-9516
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1741948 1741979 1741980 1742380 1742381 1744833 1745039 1745040 1745041 1745042 1745043 1745044 1745084 1745086 1745087 1745089 1745090 1745091 1745092 1745093 1745094 1745096 1745645 1745667 1745668 1745679 1745680 1746422 1748607
Blocks: 1735750
TreeView+ depends on / blocked
 
Reported: 2019-08-16 09:48 UTC by Dhananjay Arunesh
Modified: 2023-03-24 15:15 UTC (History)
117 users (show)

Fixed In Version: Nodejs 8.16.1, Nodejs 10.16.3, Nodejs 12.8.1, nginx 1.16.1, nginx 1.17.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in HTTP/2. An attacker, sending a stream of header with a 0-length header name and a 0-length header value, could cause some implementations to allocate memory for these headers and keep the allocations alive until the session dies. The can consume excess memory, potentially leading to a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2019-09-13 12:45:38 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2772 0 None None None 2019-09-16 12:24:47 UTC
Red Hat Product Errata RHBA-2019:2788 0 None None None 2019-09-17 03:00:56 UTC
Red Hat Product Errata RHBA-2019:2907 0 None None None 2019-09-26 08:11:57 UTC
Red Hat Product Errata RHBA-2019:2948 0 None None None 2019-10-01 16:54:04 UTC
Red Hat Product Errata RHBA-2019:2951 0 None None None 2019-10-01 17:03:31 UTC
Red Hat Product Errata RHBA-2019:3289 0 None None None 2019-10-31 17:01:15 UTC
Red Hat Product Errata RHBA-2019:3291 0 None None None 2019-10-31 17:05:10 UTC
Red Hat Product Errata RHSA-2019:2745 0 None None None 2019-09-12 11:56:15 UTC
Red Hat Product Errata RHSA-2019:2746 0 None None None 2019-09-12 12:02:28 UTC
Red Hat Product Errata RHSA-2019:2775 0 None None None 2019-09-17 14:57:56 UTC
Red Hat Product Errata RHSA-2019:2799 0 None None None 2019-09-19 07:32:25 UTC
Red Hat Product Errata RHSA-2019:2925 0 None None None 2019-09-30 07:22:16 UTC
Red Hat Product Errata RHSA-2019:2939 0 None None None 2019-09-30 23:39:29 UTC
Red Hat Product Errata RHSA-2019:2946 0 None None None 2019-10-01 10:32:41 UTC
Red Hat Product Errata RHSA-2019:2950 0 None None None 2019-10-01 11:46:17 UTC
Red Hat Product Errata RHSA-2019:2955 0 None None None 2019-10-02 14:27:12 UTC
Red Hat Product Errata RHSA-2019:2966 0 None None None 2019-10-03 18:57:51 UTC
Red Hat Product Errata RHSA-2019:3932 0 None None None 2019-11-20 16:21:59 UTC
Red Hat Product Errata RHSA-2019:3933 0 None None None 2019-11-20 16:14:02 UTC
Red Hat Product Errata RHSA-2019:3935 0 None None None 2019-11-20 16:09:00 UTC
Red Hat Product Errata RHSA-2020:0922 0 None None None 2020-03-23 08:22:43 UTC
Red Hat Product Errata RHSA-2020:0983 0 None None None 2020-03-26 15:48:45 UTC
Red Hat Product Errata RHSA-2020:1445 0 None None None 2020-04-14 13:05:20 UTC

Description Dhananjay Arunesh 2019-08-16 09:48:32 UTC 
A vulnerability was found in http/2 where an attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
Comment 1 Dhananjay Arunesh 2019-08-16 09:52:04 UTC 
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1741866]
Comment 3 Dhananjay Arunesh 2019-08-16 14:01:28 UTC 
Created mod_http2 tracking bugs for this issue:

Affects: fedora-all [bug 1741948]


Created nghttp2 tracking bugs for this issue:

Affects: fedora-all [bug 1741947]
Comment 4 Dhananjay Arunesh 2019-08-16 14:02:37 UTC 
Created nghttp2 tracking bugs for this issue:

Affects: epel-all [bug 1741950]
Comment 6 msiddiqu 2019-08-16 14:25:48 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1741980]
Affects: fedora-all [bug 1741979]
Comment 8 msiddiqu 2019-08-16 18:45:25 UTC 
Created nginx tracking bugs for this issue:

Affects: epel-all [bug 1742380]
Affects: fedora-all [bug 1742381]
Comment 18 Marco Benatto 2019-08-23 15:09:49 UTC 
NodeJS upstream patch:
https://github.com/nodejs/node/commit/f4242e24f9

NGINX upstream patch:
http://hg.nginx.org/nginx/rev/4f4b83f00cf1

mod_http2 upstream patch:
https://github.com/icing/mod_h2/commit/dd05d49abe0f67512ce9ed5ba422d7711effecfb
Comment 21 Marco Benatto 2019-08-23 15:18:37 UTC 
External References:

https://kb.cert.org/vuls/id/605641/
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/
https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/
https://github.com/nghttp2/nghttp2/issues/1382#
Comment 34 Marco Benatto 2019-09-03 21:39:09 UTC 
Created undertow tracking bugs for this issue:

Affects: fedora-all [bug 1748607]
Comment 35 Sam Fowler 2019-09-04 07:07:22 UTC 
Statement:

This flaw has no available mitigation for nodejs package. It will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.

The nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.
Comment 37 errata-xmlrpc 2019-09-12 11:56:12 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2019:2745 https://access.redhat.com/errata/RHSA-2019:2745
Comment 38 errata-xmlrpc 2019-09-12 12:02:24 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2746 https://access.redhat.com/errata/RHSA-2019:2746
Comment 39 Product Security DevOps Team 2019-09-13 12:45:38 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-9516
Comment 40 errata-xmlrpc 2019-09-17 14:57:52 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2775 https://access.redhat.com/errata/RHSA-2019:2775
Comment 41 errata-xmlrpc 2019-09-19 07:32:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2799 https://access.redhat.com/errata/RHSA-2019:2799
Comment 43 Marco Benatto 2019-09-19 21:23:02 UTC 
Mitigation:

Red Hat Quay 3.0 uses Nginx 1.12 from Red Hat Software Collections. It will be updated once a fixed is released for Software Collections. In the meantime users of Quay can disable http/2 support in Nginx by following these instructions:

1. Copy the Nginx configuration from the quay container to the host
$ docker cp 3aadf1421ba3:/quay-registry/conf/nginx/ /mnt/quay/nginx

2. Edit the Nginx configuration, removing http/2 support
$ sed -i 's/http2 //g' /mnt/quay/nginx/nginx.conf

3. Restart Nginx with the new configuration mounted into the container, eg:
$ docker run --restart=always -p 443:8443 -p 80:8080 --sysctl net.core.somaxconn=4096 -v /mnt/quay/config:/conf/stack:Z -v /mnt/quay/storage:/datastorage -v /mnt/quay/nginx:/quay-registry/config/nginx:Z -d quay.io/redhat/quay:v3.0.3
Comment 48 errata-xmlrpc 2019-09-30 07:22:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:2925 https://access.redhat.com/errata/RHSA-2019:2925
Comment 49 errata-xmlrpc 2019-09-30 23:39:26 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2939 https://access.redhat.com/errata/RHSA-2019:2939
Comment 50 errata-xmlrpc 2019-10-01 10:32:37 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7
  JBoss Core Services on RHEL 6

Via RHSA-2019:2946 https://access.redhat.com/errata/RHSA-2019:2946
Comment 51 errata-xmlrpc 2019-10-01 11:46:13 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2019:2950 https://access.redhat.com/errata/RHSA-2019:2950
Comment 53 errata-xmlrpc 2019-10-02 14:27:08 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2019:2955 https://access.redhat.com/errata/RHSA-2019:2955
Comment 54 errata-xmlrpc 2019-10-03 18:57:47 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2019:2966 https://access.redhat.com/errata/RHSA-2019:2966
Comment 59 errata-xmlrpc 2019-11-20 16:08:50 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Core Services

Via RHSA-2019:3935 https://access.redhat.com/errata/RHSA-2019:3935
Comment 60 errata-xmlrpc 2019-11-20 16:13:58 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 7

Via RHSA-2019:3933 https://access.redhat.com/errata/RHSA-2019:3933
Comment 61 errata-xmlrpc 2019-11-20 16:21:55 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6

Via RHSA-2019:3932 https://access.redhat.com/errata/RHSA-2019:3932
Comment 68 errata-xmlrpc 2020-03-23 08:22:32 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ

Via RHSA-2020:0922 https://access.redhat.com/errata/RHSA-2020:0922
Comment 69 errata-xmlrpc 2020-03-26 15:48:37 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.6.0

Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983
Comment 70 errata-xmlrpc 2020-04-14 13:05:14 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ 7.4.3

Via RHSA-2020:1445 https://access.redhat.com/errata/RHSA-2020:1445
Note You need to log in before you can comment on or make changes to this bug.