ALAS2-2019-1298

Affecting libnghttp2 package, versions <1.39.2-1.amzn2

Report new vulnerabilities
high severity
Do your applications use this vulnerable package? Test your applications

Overview

Package updates are available for Amazon Linux 2 that fix the following vulnerabilities: CVE-2019-9513: Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. 1735741: CVE-2019-9513 HTTP/2: flood using PRIORITY frames results in excessive resource consumption CVE-2019-9511: Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. 1741860: CVE-2019-9511 HTTP/2: large amount of data requests leads to denial of service

References

CVE
ALAS2-2019-1298
Snyk ID
SNYK-AMZN2-LIBNGHTTP2-490633
Published
13 Nov, 2019