CVE-2019-9514

Impact:
Important
Public Date:
2019-08-13
CWE:
CWE-400
Bugzilla:
1735744: CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth

The MITRE CVE dictionary describes this issue as:

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.

Find out more about CVE-2019-9514 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019.
This issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2.
The following storage product versions are affected because they include the support for HTTP/2 in:
* golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3
* heketi(embeds golang) as shipped with Red Hat Gluster Storage 3
* grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3
This flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.

The nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 7.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat OpenShift Container Platform 4.1 RHSA-2019:2766 2019-09-12
Red Hat OpenShift Container Platform 4.1 (openshift) RHSA-2019:2661 2019-09-11
Red Hat Enterprise Linux 8 (go-toolset:rhel8) RHSA-2019:2726 2019-09-12
Red Hat OpenShift Container Platform 4.1 RHSA-2019:2594 2019-09-10
Red Hat OpenShift Container Platform 3.10 (atomic-openshift) RHSA-2019:2690 2019-09-12
Red Hat OpenStack Platform 14.0 (Rocky) (skydive) RHSA-2019:2796 2019-09-19
Red Hat Developer Tools (go-toolset-1.11) RHSA-2019:2682 2019-09-10
Red Hat OpenShift Container Platform 4.1 (openshift) RHSA-2019:2661 2019-09-11

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux rh-nginx112-nginx Not affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-nginx110-nginx Not affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-nginx114-nginx Not affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-nodejs8-nodejs Affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-nodejs10-nodejs Affected
Red Hat Single Sign-On 7 netty Under investigation
Red Hat Single Sign-On 7 undertow Under investigation
Red Hat Quay 3 clair-jwt Affected
Red Hat Quay 3 nodejs Not affected
Red Hat Quay 3 quay-builder Under investigation
Red Hat Quay 3 quay Affected
Red Hat OpenStack Platform 9.0 Operational Tools for RHEL 7 golang Will not fix
Red Hat OpenShift Container Platform 3.9 rpms Affected
Red Hat OpenShift Container Platform 3.9 nodejs Not affected
Red Hat OpenShift Container Platform 3.11 rpms Affected
Red Hat OpenShift Container Platform 3.10 nodejs Not affected
Red Hat OpenShift Container Platform 3.10 rpms Affected
Red Hat OpenShift Application Runtimes 1.0 rhoar-nodejs Under investigation
Red Hat OpenShift Application Runtimes 1.0 vertx Affected
Red Hat OpenShift Application Runtimes 1.0 swarm Under investigation
Red Hat JBoss Fuse 7 undertow Under investigation
Red Hat JBoss Fuse 7 netty Affected
Red Hat JBoss Fuse 7 grpc Affected
Red Hat JBoss Fuse 6 undertow Under investigation
Red Hat JBoss Fuse 6 netty Affected
Red Hat JBoss EAP 7 undertow Under investigation
Red Hat JBoss EAP 6 jbossweb Not affected
Red Hat JBoss Data Virtualization 6 netty Under investigation
Red Hat JBoss Data Grid 7 undertow Under investigation
Red Hat JBoss Data Grid 7 netty Under investigation
Red Hat JBoss A-MQ 7 netty Affected
Red Hat Gluster Storage 3 heketi Affected
Red Hat Gluster Storage 3 golang Affected
Red Hat Gluster Storage 3 grafana Not affected
Red Hat Enterprise Linux 8 nodejs:10/nodejs Affected
Red Hat Enterprise Linux 8 nginx:1.14/nginx Not affected
Red Hat Enterprise Linux 7 golang Affected
Red Hat Ceph Storage 3 golang Affected
Red Hat Ceph Storage 3 grafana Affected
Red Hat Ceph Storage 2 golang Affected
Red Hat Ceph Storage 2 grafana Not affected
Red Hat Ansible Tower 3 for RHEL 7 nginx Not affected
CloudForms Management Engine 5 nginx Not affected
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

Acknowledgements

Red Hat would like to thank the Envoy security team for reporting this issue.

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation