Bug 1145579 – VUL-0: CVE-2019-9511: nginx: HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service

Bug 1145579 - (CVE-2019-9511) VUL-0: CVE-2019-9511: nginx: HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service

(CVE-2019-9511)
Summary:	VUL-0: CVE-2019-9511: nginx: HTTP/2 implementations are vulnerable to window ...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assigned To:	Robert Frohl
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/239514/
Whiteboard:	CVSSv3:SUSE:CVE-2019-9511:7.5:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-08-14 09:31 UTC by Robert Frohl
Modified:	2021-06-28 15:06 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2019-08-14 09:31:43 UTC

CVE-2019-9511

Some HTTP/2 implementations are vulnerable to window size manipulation and
stream prioritization manipulation, potentially leading to a denial of service.
The attacker requests a large amount of data from a specified resource over
multiple streams. They manipulate window size and stream priority to force the
server to queue the data in 1-byte chunks. Depending on how efficiently this
data is queued, this can consume excess CPU, memory, or both.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9511
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9511.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511
http://www.cvedetails.com/cve/CVE-2019-9511/
https://kb.cert.org/vuls/id/605641/
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

Comment 1 Marcus Meissner 2019-08-15 15:35:59 UTC

https://github.com/nginx/nginx/commit/5ae726912654da10a9a81b2c8436829f3e94f69f

I think.

Comment 2 Robert Frohl 2019-08-29 09:43:10 UTC

(In reply to Marcus Meissner from comment #1)
> https://github.com/nginx/nginx/commit/
> 5ae726912654da10a9a81b2c8436829f3e94f69f
> 
> I think.

I think this is wrong, believe this is the correct one for this CVE is
https://github.com/nginx/nginx/commit/a987f81dd19210bc30b62591db331e31d3d74089

Comment 4 Swamp Workflow Management 2019-09-05 19:14:31 UTC

SUSE-SU-2019:2309-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1115015,1115022,1115025,1145579,1145580,1145582
CVE References: CVE-2018-16843,CVE-2018-16844,CVE-2018-16845,CVE-2019-9511,CVE-2019-9513,CVE-2019-9516
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    nginx-1.14.2-6.3.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    nginx-1.14.2-6.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 5 Swamp Workflow Management 2019-09-10 22:19:28 UTC

openSUSE-SU-2019:2120-1: An update that fixes 6 vulnerabilities is now available.

Category: security (important)
Bug References: 1115015,1115022,1115025,1145579,1145580,1145582
CVE References: CVE-2018-16843,CVE-2018-16844,CVE-2018-16845,CVE-2019-9511,CVE-2019-9513,CVE-2019-9516
Sources used:
openSUSE Leap 15.1 (src):    nginx-1.14.2-lp151.4.3.1

Comment 6 Swamp Workflow Management 2019-10-04 16:22:49 UTC

SUSE-SU-2019:2559-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1145579,1145580,1145582
CVE References: CVE-2019-9511,CVE-2019-9513,CVE-2019-9516
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    nginx-1.14.2-3.6.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    nginx-1.14.2-3.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Swamp Workflow Management 2019-10-06 13:16:56 UTC

openSUSE-SU-2019:2264-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1145579,1145580,1145582
CVE References: CVE-2019-9511,CVE-2019-9513,CVE-2019-9516
Sources used:
openSUSE Leap 15.0 (src):    nginx-1.14.2-lp150.2.11.1

Comment 10 Robert Frohl 2021-06-28 15:06:16 UTC

fixed