Bug 1145663 (CVE-2019-9514)

Summary: VUL-0: CVE-2019-9514: netty: HTTP/2 implementation is vulnerable to a reset flood, potentially leading to a denial of service
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gabriele.sonnu, moio, security-team, smash_bz, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/239518/
See Also: http://bugzilla.opensuse.org/show_bug.cgi?id=1146115
Whiteboard: CVSSv3.1:SUSE:CVE-2019-9514:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Silvio Moioli 2019-08-27 08:13:14 UTC
SUSE Manager exclusively uses netty because it is a dependency in pgjdbc-ng (a PostgreSQL Java driver), and no HTTP code from the library is used.

Netty is only used to provide implementation of byte buffers/channels/sockets/NIO I/O in general.


Does anything need to be done at all?
Comment 2 Wolfgang Frisch 2019-08-29 12:49:07 UTC
Another developer might later start to use the HTTP/2 functions of this package, or fork it to be used in another project, without being aware of the security implications. It would be preferable to have an updated version in all active repositories, in order to prevent future issues.

netty version 4.1.39 fixes this and related CVEs.
https://netty.io/news/2019/08/13/4-1-39-Final.html

>Multiple servers / libraries that contain a HTTP/2 implementations have been
>discovered to be affected by multiple DOS attacks, if the user itself does not
>provide special handlers for protection. Netty's HTTP/2 implementation is
>affected by the vulnerabilities as listed below:

>    CVE-2019-9512: Ping Flood
>    CVE-2019-9514: Reset Flood
>    CVE-2019-9515: Settings Flood
>    CVE-2019-9518: Empty DATA frame flooding
Comment 5 Silvio Moioli 2019-08-30 06:47:42 UTC
At this point we have very little insight on the inner workings of pgjdbc-ng, so I would not feel confident about such a change until upstream pgjdbc-ng is updated and its author approves and tests such a change.

As of the latest released pgjdbc-ng version 4.1.32.Final is required:

https://github.com/impossibl/pgjdbc-ng/blob/v0.8.2/buildSrc/src/main/kotlin/Versions.kt#L14

And the same is true for the tip of the develop branch:

https://github.com/impossibl/pgjdbc-ng/blob/239d492d1b244974b7c6356f5fee329839087989/buildSrc/src/main/kotlin/Versions.kt#L14

Changing the dependency downstream potentially invalidates all upstream and community testing and this represents a risk I would not suggest we run. Reason is this library is vital in SUSE Manager/Uyuni, as each and every Salt event goes though it.


I opened a PR at pgjdbc-ng and suggest reacting only after it is merged and a new version is released.

https://github.com/impossibl/pgjdbc-ng/pull/426
Comment 6 Silvio Moioli 2019-09-18 07:00:24 UTC
PR was merged, now waiting for the finalization of a new version.
Comment 7 Silvio Moioli 2020-02-07 15:30:03 UTC
I submitted requests to update our netty package to 4.1.14 which fixes this vulnerability, and Uyuni patches to adapt to the new version.

https://github.com/uyuni-project/uyuni/pull/1877

https://build.opensuse.org/request/show/772129
https://build.opensuse.org/request/show/772127
https://build.suse.de/request/show/210975
https://build.suse.de/request/show/210973
https://build.suse.de/request/show/210972
https://build.suse.de/request/show/210970

This fix will be part of the next SUSE Manager major version, 4.1, as well.

Can this bug just be closed to RESOLVED?
Comment 8 Silvio Moioli 2020-02-17 12:05:29 UTC
(In reply to Silvio Moioli from comment #7)
> I submitted requests to update our netty package to 4.1.14

Typo, that was 4.1.44.

This CVE number was fixed as of 4.1.39 according to: https://netty.io/news/2019/08/13/4-1-39-Final.html
Comment 9 Gabriele Sonnu 2022-04-14 13:51:07 UTC
Done.