Bug 1145663 - (CVE-2019-9514) VUL-0: CVE-2019-9514: netty: HTTP/2 implementation is vulnerable to a reset flood, potentially leading to a denial of service
VUL-0: CVE-2019-9514: netty: HTTP/2 implementation is vulnerable to a reset ...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2019-08-14 16:13 UTC by Robert Frohl
Modified: 2022-04-14 13:51 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Silvio Moioli 2019-08-27 08:13:14 UTC
SUSE Manager exclusively uses netty because it is a dependency in pgjdbc-ng (a PostgreSQL Java driver), and no HTTP code from the library is used.

Netty is only used to provide implementation of byte buffers/channels/sockets/NIO I/O in general.

Does anything need to be done at all?
Comment 2 Wolfgang Frisch 2019-08-29 12:49:07 UTC
Another developer might later start to use the HTTP/2 functions of this package, or fork it to be used in another project, without being aware of the security implications. It would be preferable to have an updated version in all active repositories, in order to prevent future issues.

netty version 4.1.39 fixes this and related CVEs.

>Multiple servers / libraries that contain a HTTP/2 implementations have been
>discovered to be affected by multiple DOS attacks, if the user itself does not
>provide special handlers for protection. Netty's HTTP/2 implementation is
>affected by the vulnerabilities as listed below:

>    CVE-2019-9512: Ping Flood
>    CVE-2019-9514: Reset Flood
>    CVE-2019-9515: Settings Flood
>    CVE-2019-9518: Empty DATA frame flooding
Comment 5 Silvio Moioli 2019-08-30 06:47:42 UTC
At this point we have very little insight on the inner workings of pgjdbc-ng, so I would not feel confident about such a change until upstream pgjdbc-ng is updated and its author approves and tests such a change.

As of the latest released pgjdbc-ng version 4.1.32.Final is required:


And the same is true for the tip of the develop branch:


Changing the dependency downstream potentially invalidates all upstream and community testing and this represents a risk I would not suggest we run. Reason is this library is vital in SUSE Manager/Uyuni, as each and every Salt event goes though it.

I opened a PR at pgjdbc-ng and suggest reacting only after it is merged and a new version is released.

Comment 6 Silvio Moioli 2019-09-18 07:00:24 UTC
PR was merged, now waiting for the finalization of a new version.
Comment 7 Silvio Moioli 2020-02-07 15:30:03 UTC
I submitted requests to update our netty package to 4.1.14 which fixes this vulnerability, and Uyuni patches to adapt to the new version.



This fix will be part of the next SUSE Manager major version, 4.1, as well.

Can this bug just be closed to RESOLVED?
Comment 8 Silvio Moioli 2020-02-17 12:05:29 UTC
(In reply to Silvio Moioli from comment #7)
> I submitted requests to update our netty package to 4.1.14

Typo, that was 4.1.44.

This CVE number was fixed as of 4.1.39 according to: https://netty.io/news/2019/08/13/4-1-39-Final.html
Comment 9 Gabriele Sonnu 2022-04-14 13:51:07 UTC