HTTP/2 服务器拒绝服务漏洞

CVE编号

CVE-2019-9514

利用情况

暂无

补丁情况

官方补丁

披露时间

2019-08-13

漏洞描述

某些HTTP / 2实现容易受到重置洪水的攻击，有可能导致拒绝服务。攻击者打开多个流，并在每个流上发送无效请求，该请求应从对等方请求RST_STREAM帧流。根据对等方如何对RST_STREAM帧进行排队，这可能会消耗过多的内存，CPU或同时消耗这两者。

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html
http://seclists.org/fulldisclosure/2019/Aug/16
http://www.openwall.com/lists/oss-security/2019/08/20/1
https://access.redhat.com/errata/RHSA-2019:2594
https://access.redhat.com/errata/RHSA-2019:2661
https://access.redhat.com/errata/RHSA-2019:2682
https://access.redhat.com/errata/RHSA-2019:2690
https://access.redhat.com/errata/RHSA-2019:2726
https://access.redhat.com/errata/RHSA-2019:2766
https://access.redhat.com/errata/RHSA-2019:2769
https://access.redhat.com/errata/RHSA-2019:2796
https://access.redhat.com/errata/RHSA-2019:2861
https://access.redhat.com/errata/RHSA-2019:2925
https://access.redhat.com/errata/RHSA-2019:2939
https://access.redhat.com/errata/RHSA-2019:2955
https://access.redhat.com/errata/RHSA-2019:2966
https://access.redhat.com/errata/RHSA-2019:3131
https://access.redhat.com/errata/RHSA-2019:3245
https://access.redhat.com/errata/RHSA-2019:3265
https://access.redhat.com/errata/RHSA-2019:3892
https://access.redhat.com/errata/RHSA-2019:3906
https://access.redhat.com/errata/RHSA-2019:4018
https://access.redhat.com/errata/RHSA-2019:4019
https://access.redhat.com/errata/RHSA-2019:4020
https://access.redhat.com/errata/RHSA-2019:4021
https://access.redhat.com/errata/RHSA-2019:4040
https://access.redhat.com/errata/RHSA-2019:4041
https://access.redhat.com/errata/RHSA-2019:4042
https://access.redhat.com/errata/RHSA-2019:4045
https://access.redhat.com/errata/RHSA-2019:4269
https://access.redhat.com/errata/RHSA-2019:4273
https://access.redhat.com/errata/RHSA-2019:4352
https://access.redhat.com/errata/RHSA-2020:0406
https://access.redhat.com/errata/RHSA-2020:0727
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-pa...
https://kb.cert.org/vuls/id/605641/
https://kc.mcafee.com/corporate/index?page=content&id=SB10296
https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35a...
https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c...
https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c...
https://lists.debian.org/debian-lts-announce/2020/12/msg00011.html
https://lists.fedoraproject.org/archives/list/[email protected]...
https://lists.fedoraproject.org/archives/list/[email protected]...
https://lists.fedoraproject.org/archives/list/[email protected]...
https://lists.fedoraproject.org/archives/list/[email protected]...
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2019-9514
https://seclists.org/bugtraq/2019/Aug/24
https://seclists.org/bugtraq/2019/Aug/31
https://seclists.org/bugtraq/2019/Aug/43
https://seclists.org/bugtraq/2019/Sep/18
https://security.netapp.com/advisory/ntap-20190823-0001/
https://security.netapp.com/advisory/ntap-20190823-0004/
https://security.netapp.com/advisory/ntap-20190823-0005/
https://support.f5.com/csp/article/K01988340
https://support.f5.com/csp/article/K01988340?utm_source=f5support&utm_medium=RSS
https://usn.ubuntu.com/4308-1/
https://www.debian.org/security/2019/dsa-4503
https://www.debian.org/security/2019/dsa-4508
https://www.debian.org/security/2019/dsa-4520
https://www.debian.org/security/2020/dsa-4669
https://www.synology.com/security/advisory/Synology_SA_19_33

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	apache	traffic_server	*	From (including) 6.0.0	Up to (including) 6.2.3
	运行在以下环境
	应用	apache	traffic_server	*	From (including) 7.0.0	Up to (including) 7.1.6
	运行在以下环境
	应用	apache	traffic_server	*	From (including) 8.0.0	Up to (including) 8.0.3
	运行在以下环境
	应用	apple	swiftnio	*	From (including) 1.0.0	Up to (including) 1.4.0
	运行在以下环境
	应用	f5	big-ip_local_traffic_manager	*	From (including) 11.6.1	Up to (excluding) 11.6.5.1
	运行在以下环境
	应用	f5	big-ip_local_traffic_manager	*	From (including) 12.1.0	Up to (excluding) 12.1.5.1
	运行在以下环境
	应用	f5	big-ip_local_traffic_manager	*	From (including) 13.1.0	Up to (excluding) 13.1.3.2
	运行在以下环境
	应用	f5	big-ip_local_traffic_manager	*	From (including) 14.0.0	Up to (excluding) 14.0.1.1
	运行在以下环境
	应用	f5	big-ip_local_traffic_manager	*	From (including) 14.1.0	Up to (excluding) 14.1.2.1
	运行在以下环境
	应用	f5	big-ip_local_traffic_manager	*	From (including) 15.0.0	Up to (excluding) 15.0.1.1
	运行在以下环境
	应用	mcafee	web_gateway	*	From (including) 7.7.2.0	Up to (excluding) 7.7.2.24
	运行在以下环境
	应用	mcafee	web_gateway	*	From (including) 7.8.2.0	Up to (excluding) 7.8.2.13
	运行在以下环境
	应用	mcafee	web_gateway	*	From (including) 8.1.0	Up to (excluding) 8.2.0
	运行在以下环境
	应用	netapp	cloud_insights	-	-
	运行在以下环境
	应用	netapp	trident	-	-
	运行在以下环境
	应用	oracle	graalvm	19.2.0	-
	运行在以下环境
	应用	redhat	developer_tools	1.0	-
	运行在以下环境
	应用	redhat	jboss_core_services	1.0	-
	运行在以下环境
	应用	redhat	jboss_enterprise_application_platform	7.2.0	-
	运行在以下环境
	应用	redhat	jboss_enterprise_application_platform	7.3.0	-
	运行在以下环境
	应用	redhat	openshift_container_platform	3.10	-
	运行在以下环境
	应用	redhat	openshift_container_platform	3.11	-
	运行在以下环境
	应用	redhat	openshift_container_platform	3.9	-
	运行在以下环境
	应用	redhat	openshift_container_platform	4.1	-
	运行在以下环境
	应用	redhat	openshift_container_platform	4.2	-
	运行在以下环境
	应用	redhat	openshift_service_mesh	1.0	-
	运行在以下环境
	应用	redhat	openstack	14	-
	运行在以下环境
	应用	redhat	quay	3.0.0	-
	运行在以下环境
	应用	redhat	single_sign-on	7.3	-
	运行在以下环境
	应用	redhat	software_collections	1.0	-
	运行在以下环境
	应用	synology	diskstation_manager	6.2	-
	运行在以下环境
应用	synology	skynas	-	-
运行在以下环境
系统	alpine_3.10	nodejs	*		Up to (excluding) 10.16.3-r0
运行在以下环境
系统	alpine_3.11	nodejs	*		Up to (excluding) 10.16.3-r0
运行在以下环境
系统	alpine_3.12	nodejs	*		Up to (excluding) 10.16.3-r0
运行在以下环境
系统	alpine_3.13	nodejs	*		Up to (excluding) 1.12.8-r0
运行在以下环境
系统	alpine_3.14	nodejs	*		Up to (excluding) 2.2.6-r0
运行在以下环境
系统	alpine_3.15	nodejs	*		Up to (excluding) 10.16.3-r0
运行在以下环境
系统	alpine_3.9	nodejs	*		Up to (excluding) 10.16.3-r0
运行在以下环境
系统	alpine_edge	nodejs	*		Up to (excluding) 19.10.0-r0
运行在以下环境
系统	amazon linux_2	nodejs	*		Up to (excluding) 1.9.4-3.amzn2.0.2
运行在以下环境
系统	amazon linux_AMI	nodejs	*		Up to (excluding) 1.12.8-1.51.amzn1
运行在以下环境
系统	amazon_2	nodejs	*		Up to (excluding) 1.9.4-3.amzn2.0.2
运行在以下环境
系统	amazon_AMI	nodejs	*		Up to (excluding) 1.12.8-1.51.amzn1
运行在以下环境
系统	apple	mac_os_x	*	From (including) 10.12
运行在以下环境
系统	canonical	ubuntu_linux	*	From (including) 14.04
运行在以下环境
系统	canonical	ubuntu_linux	16.04	-
运行在以下环境
系统	canonical	ubuntu_linux	18.04	-
运行在以下环境
系统	canonical	ubuntu_linux	19.04	-
运行在以下环境
系统	centos_8	nodejs	*		Up to (excluding) 1.11.13-2.module+el8.0.1+4087+d8180914
运行在以下环境
系统	debian	debian_linux	10.0	-
运行在以下环境
系统	debian	debian_linux	9.0	-
运行在以下环境
系统	debian_10	nodejs	*		Up to (excluding) 1.11.6-1+deb10u1
运行在以下环境
系统	debian_9	nodejs	*		Up to (excluding) 1.7.4-2+deb9u1
运行在以下环境
系统	fedoraproject	fedora	29	-
运行在以下环境
系统	fedoraproject	fedora	30	-
运行在以下环境
系统	fedora_29	nodejs	*		Up to (excluding) 1.11.13-1.fc29
运行在以下环境
系统	fedora_29_Modular	nodejs	*		Up to (excluding) 12-2920190821145457.6c81f848
运行在以下环境
系统	fedora_30	nodejs	*		Up to (excluding) 1.12.9-1.fc30
运行在以下环境
系统	fedora_30_Modular	nodejs	*		Up to (excluding) 12-3020190821145457.a5b0195c
运行在以下环境
系统	fedora_EPEL_6	nodejs	*		Up to (excluding) 1.13-1.el6
运行在以下环境
系统	fedora_EPEL_7	nodejs	*		Up to (excluding) 1.13-1.el7
运行在以下环境
系统	opensuse	leap	15.0	-
运行在以下环境
系统	opensuse	leap	15.1	-
运行在以下环境
系统	opensuse_Leap_15.0	nodejs	*		Up to (excluding) 1.11.13-lp151.2.9.1
运行在以下环境
系统	opensuse_Leap_15.1	nodejs	*		Up to (excluding) 1.12.9-lp151.2.9.1
运行在以下环境
系统	oracle linux_8	nodejs	*		Up to (excluding) 10.14.1-1.module+el8.0.0+5349+4d6b561f
运行在以下环境
系统	oracle_8	nodejs	*		Up to (excluding) 6.4.1-1.10.14.1.1.module+el8.0.0+5349+4d6b561f
运行在以下环境
系统	redhat	enterprise_linux	8.0	-
运行在以下环境
系统	redhat	enterprise_linux_eus	8.1	-
运行在以下环境
系统	redhat	enterprise_linux_server	7.0	-
运行在以下环境
系统	redhat	enterprise_linux_workstation	7.0	-
运行在以下环境
系统	redhat_8	nodejs	*		Up to (excluding) 1.11.13-2.module+el8.0.1+4087+d8180914
运行在以下环境
系统	sles_12	nodejs10	*		Up to (excluding) 10.16.3-1.12
运行在以下环境
系统	synology	vs960hd_firmware	-	-
运行在以下环境
系统	ubuntu_18.04	nodejs	*		Up to (excluding) 17.9.0-2ubuntu0.1
运行在以下环境
系统	ubuntu_18.04_lts	twisted	*		Up to (excluding) 17.9.0-2ubuntu0.1
运行在以下环境
系统	ubuntu_20.04	nodejs	*		Up to (excluding) 18.9.0-6ubuntu1
运行在以下环境
系统	ubuntu_21.04	nodejs	*		Up to (excluding) 18.9.0-6ubuntu1
运行在以下环境
硬件	synology	vs960hd	-	-

攻击路径远程
攻击复杂度复杂
权限要求无需权限
影响范围有限影响
EXP成熟度未验证
补丁情况官方补丁
数据保密性无影响
数据完整性无影响
服务器危害无影响
全网数量 100

CWE-ID 漏洞类型 CWE-770 不加限制或调节的资源分配

正文

HTTP/2 服务器拒绝服务漏洞

漏洞描述

解决建议

参考链接

受影响软件情况

相关阅读

IBM Jazz Reporting Service-Rational-CLM安全绕过管理任务执行漏洞

IBM Tivoli Federated Identity Manager up to 6.2.2 FP15 跨站脚本攻击

IBM WebSphere MQ Light拒绝服务漏洞

IBM Security Network Protection GSKit信息泄露漏洞

发表评论取消回复

还没有评论，来说两句吧...

目录[+]