FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

nghttp2 -- multiple vulnerabilities

Affected packages
libnghttp2 < 1.39.2
nghttp2 < 1.39.2

Details

VuXML ID 121fec01-c042-11e9-a73f-b36f5969f162
Discovery 2019-08-13
Entry 2019-08-16

nghttp2 GitHub releases:

This release fixes CVE-2019-9511 "Data Dribble" and CVE-2019-9513 "Resource Loop" vulnerability in nghttpx and nghttpd. Specially crafted HTTP/2 frames cause Denial of Service by consuming CPU time. Check out https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for details. For nghttpx, additionally limiting inbound traffic by --read-rate and --read-burst options is quite effective against this kind of attack.

CVE-2019-9511 "Data Dribble": The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

CVE-2019-9513 "Ping Flood": The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

References

CVE Name CVE-2019-9511
CVE Name CVE-2019-9513
URL https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
URL https://github.com/nghttp2/nghttp2/releases