ID

VAR-201908-0421

CVE

CVE-2019-9511

TITLE

HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion

DESCRIPTION

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. Multiple HTTP/2 implementations are vulnerable to a variety of denial-of-service (DoS) attacks. A resource management error vulnerability exists in HTTP/2. ========================================================================== Ubuntu Security Notice USN-6754-1 April 25, 2024 nghttp2 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 23.10 - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS (Available with Ubuntu Pro) - Ubuntu 16.04 LTS (Available with Ubuntu Pro) Summary: Several security issues were fixed in nghttp2. A remote attacker could possibly use this issue to cause nghttp2 to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2019-9511, CVE-2019-9513) It was discovered that nghttp2 incorrectly handled request cancellation. A remote attacker could possibly use this issue to cause nghttp2 to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2023-44487) It was discovered that nghttp2 could be made to process an unlimited number of HTTP/2 CONTINUATION frames. A remote attacker could possibly use this issue to cause nghttp2 to consume resources, leading to a denial of service. (CVE-2024-28182) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 23.10: libnghttp2-14 1.55.1-1ubuntu0.2 nghttp2 1.55.1-1ubuntu0.2 nghttp2-client 1.55.1-1ubuntu0.2 nghttp2-proxy 1.55.1-1ubuntu0.2 nghttp2-server 1.55.1-1ubuntu0.2 Ubuntu 22.04 LTS: libnghttp2-14 1.43.0-1ubuntu0.2 nghttp2 1.43.0-1ubuntu0.2 nghttp2-client 1.43.0-1ubuntu0.2 nghttp2-proxy 1.43.0-1ubuntu0.2 nghttp2-server 1.43.0-1ubuntu0.2 Ubuntu 20.04 LTS: libnghttp2-14 1.40.0-1ubuntu0.3 nghttp2 1.40.0-1ubuntu0.3 nghttp2-client 1.40.0-1ubuntu0.3 nghttp2-proxy 1.40.0-1ubuntu0.3 nghttp2-server 1.40.0-1ubuntu0.3 Ubuntu 18.04 LTS (Available with Ubuntu Pro): libnghttp2-14 1.30.0-1ubuntu1+esm2 nghttp2 1.30.0-1ubuntu1+esm2 nghttp2-client 1.30.0-1ubuntu1+esm2 nghttp2-proxy 1.30.0-1ubuntu1+esm2 nghttp2-server 1.30.0-1ubuntu1+esm2 Ubuntu 16.04 LTS (Available with Ubuntu Pro): libnghttp2-14 1.7.1-1ubuntu0.1~esm2 nghttp2 1.7.1-1ubuntu0.1~esm2 nghttp2-client 1.7.1-1ubuntu0.1~esm2 nghttp2-proxy 1.7.1-1ubuntu0.1~esm2 nghttp2-server 1.7.1-1ubuntu0.1~esm2 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: nghttp2 security update Advisory ID: RHSA-2019:2692-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:2692 Issue date: 2019-09-09 CVE Names: CVE-2019-9511 CVE-2019-9513 ==================================================================== 1. Summary: An update for nghttp2 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: libnghttp2 is a library implementing the Hypertext Transfer Protocol version 2 (HTTP/2) protocol in C. Security Fix(es): * HTTP/2: large amount of data request leads to denial of service (CVE-2019-9511) * HTTP/2: flood using PRIORITY frames resulting in excessive resource consumption (CVE-2019-9513) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1735741 - CVE-2019-9513 HTTP/2: flood using PRIORITY frames resulting in excessive resource consumption 1741860 - CVE-2019-9511 HTTP/2: large amount of data request leads to denial of service 6. Package List: Red Hat Enterprise Linux BaseOS (v. 8): Source: nghttp2-1.33.0-1.el8_0.1.src.rpm aarch64: libnghttp2-1.33.0-1.el8_0.1.aarch64.rpm libnghttp2-debuginfo-1.33.0-1.el8_0.1.aarch64.rpm nghttp2-debuginfo-1.33.0-1.el8_0.1.aarch64.rpm nghttp2-debugsource-1.33.0-1.el8_0.1.aarch64.rpm ppc64le: libnghttp2-1.33.0-1.el8_0.1.ppc64le.rpm libnghttp2-debuginfo-1.33.0-1.el8_0.1.ppc64le.rpm nghttp2-debuginfo-1.33.0-1.el8_0.1.ppc64le.rpm nghttp2-debugsource-1.33.0-1.el8_0.1.ppc64le.rpm s390x: libnghttp2-1.33.0-1.el8_0.1.s390x.rpm libnghttp2-debuginfo-1.33.0-1.el8_0.1.s390x.rpm nghttp2-debuginfo-1.33.0-1.el8_0.1.s390x.rpm nghttp2-debugsource-1.33.0-1.el8_0.1.s390x.rpm x86_64: libnghttp2-1.33.0-1.el8_0.1.i686.rpm libnghttp2-1.33.0-1.el8_0.1.x86_64.rpm libnghttp2-debuginfo-1.33.0-1.el8_0.1.i686.rpm libnghttp2-debuginfo-1.33.0-1.el8_0.1.x86_64.rpm nghttp2-debuginfo-1.33.0-1.el8_0.1.i686.rpm nghttp2-debuginfo-1.33.0-1.el8_0.1.x86_64.rpm nghttp2-debugsource-1.33.0-1.el8_0.1.i686.rpm nghttp2-debugsource-1.33.0-1.el8_0.1.x86_64.rpm Red Hat CodeReady Linux Builder (v. 8): aarch64: libnghttp2-debuginfo-1.33.0-1.el8_0.1.aarch64.rpm libnghttp2-devel-1.33.0-1.el8_0.1.aarch64.rpm nghttp2-1.33.0-1.el8_0.1.aarch64.rpm nghttp2-debuginfo-1.33.0-1.el8_0.1.aarch64.rpm nghttp2-debugsource-1.33.0-1.el8_0.1.aarch64.rpm ppc64le: libnghttp2-debuginfo-1.33.0-1.el8_0.1.ppc64le.rpm libnghttp2-devel-1.33.0-1.el8_0.1.ppc64le.rpm nghttp2-1.33.0-1.el8_0.1.ppc64le.rpm nghttp2-debuginfo-1.33.0-1.el8_0.1.ppc64le.rpm nghttp2-debugsource-1.33.0-1.el8_0.1.ppc64le.rpm s390x: libnghttp2-debuginfo-1.33.0-1.el8_0.1.s390x.rpm libnghttp2-devel-1.33.0-1.el8_0.1.s390x.rpm nghttp2-1.33.0-1.el8_0.1.s390x.rpm nghttp2-debuginfo-1.33.0-1.el8_0.1.s390x.rpm nghttp2-debugsource-1.33.0-1.el8_0.1.s390x.rpm x86_64: libnghttp2-debuginfo-1.33.0-1.el8_0.1.i686.rpm libnghttp2-debuginfo-1.33.0-1.el8_0.1.x86_64.rpm libnghttp2-devel-1.33.0-1.el8_0.1.i686.rpm libnghttp2-devel-1.33.0-1.el8_0.1.x86_64.rpm nghttp2-1.33.0-1.el8_0.1.x86_64.rpm nghttp2-debuginfo-1.33.0-1.el8_0.1.i686.rpm nghttp2-debuginfo-1.33.0-1.el8_0.1.x86_64.rpm nghttp2-debugsource-1.33.0-1.el8_0.1.i686.rpm nghttp2-debugsource-1.33.0-1.el8_0.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-9511 https://access.redhat.com/security/cve/CVE-2019-9513 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXXax3NzjgjWX9erEAQi9kQ/+IMCwMwgopFKISfCMxuFtkT5pcyiBl/pR 0SXidjRBQp3e8kJ8dvN401zDP8miQOpYQGI0tJUHsAhUbQTX3CSzHr+ogh7Y05VF TOUPQpuLxzPd3A0EIzkSvEGjXjyK8M4d9m+gO4OZlMxzW9UasM2pngpkpIBFk4gT zBfJcTVXkuAeUKRcG5sLyzhRLtwGvNlUN3Z8g2xKivP/7xgXAXv/5dZ7IPSOqo0k eZmOoW512N21i194IRr5ERvoZfrrTPPV0Q+jaegbJVH11ox5k8f2yMvi/ZZsRnIi 3BKwYwOKLSq0L7nzYzBj4/VB4Kam8igzWG552ZbrRUvCXZZHuBKM+4og5evhq38d TSbXt/du5aUivQlz0w108Xmlv3tQE8nH/L0QXCSoiqbsiQp9d6fOKPdumZO6F2Ty laU64aLOs07jXvVfvgk+GIocdMcwVMM5MnWolVmacHG9Pkfh3d9mrQFRj/ITIqeF J2Ne5gKvh1lAoni4E1g0KH9r6yr57Z9S9Sred3xBCxGoL0rmz+aVxkZd3PhOS5vP GLJDLiqv8vdHCeC+IpcqotGtQoDXvWPMsL0MPOYXS/3yscVzccCqguQ+ZZ+mcr6Q oV8FgJ12yqKXuXDdeVw5dUI3wabSZPFIDEVplK+WQn3JRxcQjjVXTk0tTjRL4uYM shkhrYodtxM=Vhhv -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Bugs fixed (https://bugzilla.redhat.com/): 1649870 - CVE-2019-14820 keycloak: adapter endpoints are exposed via arbitrary URLs 1690628 - CVE-2019-3875 keycloak: missing signatures validation on CRL used to verify client certificates 1728609 - CVE-2019-10201 keycloak: SAML broker does not check existence of signature on document allowing any user impersonation 1729261 - CVE-2019-10199 keycloak: CSRF check missing in My Resources functionality in the Account Console 1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth 1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth 1735745 - CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth 1738673 - CVE-2019-10219 hibernate-validator: safeHTML validator allows XSS 1741860 - CVE-2019-9511 HTTP/2: large amount of data requests leads to denial of service 1749487 - CVE-2019-14832 keycloak: cross-realm user access auth bypass 1751227 - CVE-2019-14838 wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default 1755831 - CVE-2019-16335 jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource 1755849 - CVE-2019-14540 jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig 1758167 - CVE-2019-17267 jackson-databind: Serialization gadgets in classes of the ehcache package 1758171 - CVE-2019-14892 jackson-databind: Serialization gadgets in classes of the commons-configuration package 1758182 - CVE-2019-14893 jackson-databind: Serialization gadgets in classes of the xalan package 1758187 - CVE-2019-16942 jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* 1758191 - CVE-2019-16943 jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource 1764607 - CVE-2019-0210 thrift: Out-of-bounds read related to TJSONProtocol or TSimpleJSONProtocol 1764612 - CVE-2019-0205 thrift: Endless loop when feed with specific input data 1764658 - CVE-2019-12400 xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source 1767483 - CVE-2019-10086 apache-commons-beanutils: does not suppresses the class property in PropertyUtilsBean by default 1772008 - CVE-2019-14887 wildfly: The 'enabled-protocols' value in legacy security is not respected if OpenSSL security provider is in use 1772464 - CVE-2019-14888 undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS 1775293 - CVE-2019-17531 jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* 1793154 - CVE-2019-20330 jackson-databind: lacks certain net.sf.ehcache blocking 1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling 1802444 - CVE-2020-1729 SmallRye: SecuritySupport class is incorrectly public and contains a static method to access the current threads context class loader 1815470 - CVE-2020-10673 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution 1815495 - CVE-2020-10672 jackson-databind: mishandles the interaction between serialization gadgets and typing which could result in remote command execution 1816170 - CVE-2019-12406 cxf: does not restrict the number of message attachments 1816175 - CVE-2019-12419 cxf: OpenId Connect token service does not properly validate the clientId 1816330 - CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking 1816332 - CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config 1816337 - CVE-2020-9547 jackson-databind: Serialization gadgets in ibatis-sqlmap 1816340 - CVE-2020-9548 jackson-databind: Serialization gadgets in anteros-core 1819208 - CVE-2020-10968 jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider 1819212 - CVE-2020-10969 jackson-databind: Serialization gadgets in javax.swing.JEditorPane 1821304 - CVE-2020-11111 jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory 1821311 - CVE-2020-11112 jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider 1821315 - CVE-2020-11113 jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime 1826798 - CVE-2020-11620 jackson-databind: Serialization gadgets in commons-jelly:commons-jelly 1826805 - CVE-2020-11619 jackson-databind: Serialization gadgets in org.springframework:spring-aop 5. Description: Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. See the Red Hat JBoss Enterprise Application Platform 7.2.5 Release Notes for information about the most significant bug fixes and enhancements included in this release. Solution: Before applying this update, ensure all previously released errata relevant to your system have been applied. JIRA issues fixed (https://issues.jboss.org/): JBEAP-17075 - (7.2.z) Upgrade yasson from 1.0.2.redhat-00001 to 1.0.5 JBEAP-17220 - (7.2.x) HHH-13504 Upgrade ByteBuddy to 1.9.11 JBEAP-17365 - [GSS](7.2.z) Upgrade RESTEasy from 3.6.1.SP6 to 3.6.1.SP7 JBEAP-17476 - [GSS](7.2.z) Upgrade Generic JMS RA 2.0.2.Final JBEAP-17478 - [GSS](7.2.z) Upgrade JBoss Remoting from 5.0.14.SP1 to 5.0.16.Final JBEAP-17483 - [GSS](7.2.z) Upgrade Apache CXF from 3.2.9 to 3.2.10 JBEAP-17495 - (7.2.z) Upgrade PicketLink from 2.5.5.SP12-redhat-00007 to 2.5.5.SP12-redhat-00009 JBEAP-17496 - (7.2.z) Upgrade PicketLink bindings from 2.5.5.SP12-redhat-00007 to 2.5.5.SP12-redhat-00009 JBEAP-17513 - [GSS](7.2.z) Upgrade Hibernate ORM from 5.3.11.SP1 to 5.3.13 JBEAP-17521 - (7.2.z) Upgrade picketbox from 5.0.3.Final-redhat-00004 to 5.0.3.Final-redhat-00005 JBEAP-17523 - [GSS](7.2.z) Upgrade wildfly-core from 6.0.16 to 6.0.17 JBEAP-17547 - [GSS](7.2.z) Upgrade Elytron-Tool from 1.4.3 to 1.4.4.Final JBEAP-17548 - [GSS](7.2.z) Upgrade Elytron from 1.6.4.Final-redhat-00001 to 1.6.5.Final-redhat-00001 JBEAP-17560 - [GSS](7.2.z) Upgrade HAL from 3.0.16 to 3.0.17 JBEAP-17579 - [GSS](7.2.z) Upgrade JBoss MSC from 1.4.8 to 1.4.11 JBEAP-17582 - [GSS](7.2.z) Upgrade JSF based on Mojarra 2.3.5.SP3-redhat-00002 to 2.3.5.SP3-redhat-00003 JBEAP-17605 - Tracker bug for the EAP 7.2.5 release for RHEL-8 JBEAP-17631 - [GSS](7.2.z) Upgrade Undertow from 2.0.25.SP1 to 2.0.26.SP3 JBEAP-17647 - [GSS](7.2.z) Upgrade IronJacamar from 1.4.17.Final to 1.4.18.Final JBEAP-17665 - [GSS](7.2.z) Upgrade XNIO from 3.7.3.Final-redhat-00001 to 3.7.6.Final JBEAP-17722 - [GSS](7.2.z) Upgrade wildfly-http-client from 1.0.15.Final-redhat-00001 to 1.0.17.Final JBEAP-17874 - (7.2.z) Upgrade to wildfly-openssl 1.0.8 JBEAP-17880 - (7.2.z) Upgrade XNIO from 3.7.6.Final-redhat-00001 to 3.7.6.SP1 7. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release adds the new Apache HTTP Server 2.4.37 packages that are part of the JBoss Core Services offering. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Installation instructions are available from the Fuse 7.7.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.7/ 4. Bugs fixed (https://bugzilla.redhat.com/): 1343616 - CVE-2016-4970 netty: Infinite loop vulnerability when handling renegotiation using SslProvider.OpenSsl 1620529 - CVE-2018-1000632 dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents 1632452 - CVE-2018-3831 elasticsearch: Information exposure via _cluster/settings API 1637492 - CVE-2018-11797 pdfbox: unbounded computation in parser resulting in a denial of service 1638391 - CVE-2018-12541 vertx: WebSocket HTTP upgrade implementation holds the entire http request in memory before the handshake 1697598 - CVE-2019-3797 spring-data-jpa: Additional information exposure with Spring Data JPA derived queries 1700016 - CVE-2019-0231 mina-core: Retaining an open socket in close_notify SSL-TLS leading to Information disclosure. 1713468 - CVE-2019-12086 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server. Description: AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). Summary: Updated Quay packages that fix several bugs and add various enhancements are now available. Bug Fix(es): * Fixed repository mirror credentials properly escaped to allow special characters * Fixed repository mirror UI cancel button enabled * Fixed repository mirror UI change next sync date 3. Solution: Please download the release images via: quay.io/redhat/quay:v3.1.1 quay.io/redhat/clair-jwt:v3.1.1 quay.io/redhat/quay-builder:v3.1.1 4. Summary: This is a security update for JBoss EAP Continuous Delivery 18.0. You must restart the JBoss server process for the update to take effect

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

xss

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2026-03-05T21:58:41.571000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE