Bugzilla – Bug 1145663
VUL-0: CVE-2019-9514: netty: HTTP/2 implementation is vulnerable to a reset flood, potentially leading to a denial of service
Last modified: 2022-04-14 13:51:07 UTC
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading
to a denial of service. The attacker opens a number of streams and sends an
invalid request over each stream that should solicit a stream of RST_STREAM
frames from the peer. Depending on how the peer queues the RST_STREAM frames,
this can consume excess memory, CPU, or both.
SUSE Manager exclusively uses netty because it is a dependency in pgjdbc-ng (a PostgreSQL Java driver), and no HTTP code from the library is used.
Netty is only used to provide implementation of byte buffers/channels/sockets/NIO I/O in general.
Does anything need to be done at all?
Another developer might later start to use the HTTP/2 functions of this package, or fork it to be used in another project, without being aware of the security implications. It would be preferable to have an updated version in all active repositories, in order to prevent future issues.
netty version 4.1.39 fixes this and related CVEs.
>Multiple servers / libraries that contain a HTTP/2 implementations have been
>discovered to be affected by multiple DOS attacks, if the user itself does not
>provide special handlers for protection. Netty's HTTP/2 implementation is
>affected by the vulnerabilities as listed below:
> CVE-2019-9512: Ping Flood
> CVE-2019-9514: Reset Flood
> CVE-2019-9515: Settings Flood
> CVE-2019-9518: Empty DATA frame flooding
At this point we have very little insight on the inner workings of pgjdbc-ng, so I would not feel confident about such a change until upstream pgjdbc-ng is updated and its author approves and tests such a change.
As of the latest released pgjdbc-ng version 4.1.32.Final is required:
And the same is true for the tip of the develop branch:
Changing the dependency downstream potentially invalidates all upstream and community testing and this represents a risk I would not suggest we run. Reason is this library is vital in SUSE Manager/Uyuni, as each and every Salt event goes though it.
I opened a PR at pgjdbc-ng and suggest reacting only after it is merged and a new version is released.
PR was merged, now waiting for the finalization of a new version.
I submitted requests to update our netty package to 4.1.14 which fixes this vulnerability, and Uyuni patches to adapt to the new version.
This fix will be part of the next SUSE Manager major version, 4.1, as well.
Can this bug just be closed to RESOLVED?
(In reply to Silvio Moioli from comment #7)
> I submitted requests to update our netty package to 4.1.14
Typo, that was 4.1.44.
This CVE number was fixed as of 4.1.39 according to: https://netty.io/news/2019/08/13/4-1-39-Final.html