Bug 966514 – VUL-0: CVE-2016-1544: nghttpd,nghttp,libnghttp2_asio: Out of memory due to unlimited incoming HTTP header fields

Bug 966514 - (CVE-2016-1544) VUL-0: CVE-2016-1544: nghttpd,nghttp,libnghttp2_asio: Out of memory due to unlimited incoming HTTP header fields

(CVE-2016-1544)
Summary:	VUL-0: CVE-2016-1544: nghttpd,nghttp,libnghttp2_asio: Out of memory due to un...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other All

Priority:	P3 - Medium Severity: Minor
Target Milestone:	unspecified
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv3.1:SUSE:CVE-2016-1544:3.3:(AV:L...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-02-12 17:21 UTC by Martin Pluskal
Modified:	2021-10-25 14:50 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Martin Pluskal 2016-02-12 17:21:14 UTC

Security Advisory
CVE-2016-1544: Out of memory in nghttpd, nghttp, and libnghttp2_asio applications due
to unlimited incoming HTTP header fields.

Vulnerability

nghttpd, nghttp, and libnghttp2_asio applications do not limit the
memory usage for the incoming HTTP header field. If peer sends
specially crafted HTTP/2 HEADERS frames and CONTINUATION frames, they
will crash with out of memory error.

HTTP/2 uses HPACK to compress header fields. The basic idea is that
HTTP header field is stored in the receiver with the numeric index
number. The memory used by this storage is tightly constrained, and
it is 4KiB by default. When sender sends the same header field, it
just sends the corresponding numeric index number, which is usually 1
or 2 bytes. This means that after sender makes the receiver store the
relatively large header field (e.g., 4KiB), and it can send specially
crafted HEADERS/CONTINUATION frames which contain a lot of references
to the stored header field, sender easily effectively send lots of big
header fields to the receiver quite easily. nghttpd, nghttp, and
libnghttp2_asio applications do not limit the memory usage for
received header fields, so if the peer performs the procedure
described above, they will crash due to out of memory.

Note that libnghttp2 itself is not affected by this vulnerability.

Affected Versions

Affected versions: nghttp2 <= 1.7.0
Not affected versions: nghttp2 >= 1.7.1

Comment 1 Bernhard Wiedemann 2016-02-12 18:00:09 UTC

This is an autogenerated message for OBS integration:
This bug (966514) was mentioned in
https://build.opensuse.org/request/show/359072 Factory / nghttp2

Comment 2 Swamp Workflow Management 2016-02-12 23:00:49 UTC

bugbot adjusting priority

Comment 3 Petr Gajdos 2016-02-15 08:51:08 UTC

Maybe security team will want to standardize bug for them. Only 42.1, Factory and 12sp2 will need an action.

For 12sp2, version update to 1.7.1 was submitted.

Comment 6 Martin Pluskal 2016-02-15 09:48:52 UTC

Only remaining submission is for Leap, where affected libnghttp2_asio is present, I will hopefully submit mr during this week.

Comment 8 Andreas Stieger 2016-02-18 20:09:00 UTC

Moving to security incidents for tracking. We are satisfied with the resolution for the unreleased SLE 12 SP2, and will happily process the openSUSE Leap 42.1 submission.

Comment 9 Andreas Stieger 2016-02-26 14:36:46 UTC

openSUSE Leap 42.1 submission received, assigning back to security team

Comment 10 Bernhard Wiedemann 2016-02-26 15:00:11 UTC

This is an autogenerated message for OBS integration:
This bug (966514) was mentioned in
https://build.opensuse.org/request/show/361823 42.1 / nghttp2

Comment 11 Swamp Workflow Management 2016-03-07 13:11:51 UTC

openSUSE-SU-2016:0675-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 966514
CVE References: CVE-2016-1544
Sources used:
openSUSE Leap 42.1 (src):    nghttp2-1.3.4-3.1

Comment 12 Marcus Meissner 2016-03-18 14:20:25 UTC

released

Comment 13 Swamp Workflow Management 2021-03-24 14:24:29 UTC

SUSE-SU-2021:0932-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1082318,1088639,1112438,1125689,1134616,1146182,1146184,1181358,962914,964140,966514
CVE References: CVE-2016-1544,CVE-2018-1000168,CVE-2019-9511,CVE-2019-9513,CVE-2020-11080
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    nghttp2-1.39.2-3.5.1
SUSE OpenStack Cloud Crowbar 8 (src):    nghttp2-1.39.2-3.5.1
SUSE OpenStack Cloud 9 (src):    nghttp2-1.39.2-3.5.1
SUSE OpenStack Cloud 8 (src):    nghttp2-1.39.2-3.5.1
SUSE OpenStack Cloud 7 (src):    nghttp2-1.39.2-3.5.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    nghttp2-1.39.2-3.5.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    nghttp2-1.39.2-3.5.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    nghttp2-1.39.2-3.5.1
SUSE Linux Enterprise Server 12-SP5 (src):    nghttp2-1.39.2-3.5.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    nghttp2-1.39.2-3.5.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    nghttp2-1.39.2-3.5.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    nghttp2-1.39.2-3.5.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    nghttp2-1.39.2-3.5.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    nghttp2-1.39.2-3.5.1
HPE Helion Openstack 8 (src):    nghttp2-1.39.2-3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.