http2

Differences between revisions 2 and 10 (spanning 8 versions)
Revision 2 as of 2019-08-13 17:08:51
Size: 5444
Editor: joemcmanus
Comment:
Revision 10 as of 2019-08-14 00:03:22
Size: 6071
Editor: alexmurray
Comment: Fix CVE description headings
Deletions are marked like this. Additions are marked like this.
Line 8: Line 8:
 * CVE-2019-9511 Data Dribble
 * CVE-2019-9512 Ping Flood
 * CVE-2019-9513 Resource Loop
 * CVE-2019-9514 Reset Flood
 * CVE-2019-9515 Settings Flood
 * CVE-2019-9516 0-Length Headers Leak
 * CVE-2019-9517 Internal Data Buffering
 * [[https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9511.html|CVE-2019-9511]] Data Dribble
 * [[https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9512.html|CVE-2019-9512]] Ping Flood
 * [[https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9513.html|CVE-2019-9513]] Resource Loop
 * [[https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9514.html|CVE-2019-9514]] Reset Flood
 * [[https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9515.html|CVE-2019-9515]] Settings Flood
 * [[https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9516.html|CVE-2019-9516]] 0-Length Headers Leak
 * [[https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9517.html|CVE-2019-9517]] Internal Data Buffering
 
Piotr Sikora of Google subsequently discovered a related vulnerability in Netty:
 * [[https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9518.html|CVE-2019-9518]] Empty Frame Flooding
Line 16: Line 19:
Piotr Sikora of Google subsequently discovered a related vulnerability in Netty:
 * CVE-2019-9518 Empty Frame Flooding
 * CVE-2019-9511 - Data Dribble
== CVE-2019-9511 - Data Dribble ==
Line 22: Line 23:
'''CVE-2019-9512 - Ping Flood''' == CVE-2019-9512 - Ping Flood ==
Line 25: Line 27:
'''CVE-2019-9513 - Resource Loop''' == CVE-2019-9513 - Resource Loop ==
Line 28: Line 31:
CVE-2019-9514 - Reset Flood == CVE-2019-9514 - Reset Flood ==
Line 31: Line 35:
''''CVE-2019-9515 - Settings Flood''' == CVE-2019-9515 - Settings Flood ==
Line 34: Line 39:
'''CVE-2019-9516 - 0-Length Headers Leak''' == CVE-2019-9516 - 0-Length Headers Leak ==
Line 37: Line 43:
'''CVE-2019-9517 - Internal Data Buffering''' == CVE-2019-9517 - Internal Data Buffering ==
Line 40: Line 47:
'''CVE-2019-9518 - Empty Frame Flooding''' == CVE-2019-9518 - Empty Frame Flooding ==
Line 42: Line 50:
Status
==
Status ==
Line 60: Line 69:
Updated packages for apache2 and nghttp2 are expected to be available soon after the coordinated release date (CRD) of 5pm UTC on the 7th of May, 2019. Due to the unavailability of patches prior to the CRD for nginx, golang and twisted, these updates are expected to take longer to prepare and so will likely only be available 24 hours or more after the CRD. Note, these are only estimates and as more specific details are known regarding the availability of patches for these packages, this article will be updated. Updated packages for apache2 and nghttp2 are expected to be available soon after the coordinated release date (CRD) of 5pm UTC on the 13th of August, 2019. Due to the unavailability of patches prior to the CRD for nginx, golang and twisted, these updates are expected to take longer to prepare and so will likely only be available 24 hours or more after the CRD. Note, these are only estimates and as more specific details are known regarding the availability of patches for these packages, this article will be updated.
Line 63: Line 72:
2019 May 07: The Ubuntu Security Team is notified privately
2019 Aug 13: The issue becomes public at the coordinated release date
 * 2019 May 07: The Ubuntu Security Team is notified privately
 * 2019 Aug 13: The issue becomes public at the coordinated release date

HTTP/2 Denial of Service Vulnerabilities


CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518 Jonathan Looney of Netflix discovered that a number HTTP/2 implementations contained algorithmic inefficiencies, and did not apply appropriate limits to various resources. As a result, a remote attacker could cause a denial of service against the affected HTTP/2 implementation by issuing certain sequences of requests.

For the separate attacks described, 7 CVEs were assigned, each of which affect a variety of different software packages provided in Ubuntu:

Piotr Sikora of Google subsequently discovered a related vulnerability in Netty:

CVE-2019-9511 - Data Dribble

In this attack, a client will request 1MB of data from the server over 100 streams, for a total request of 100MB. By manipulating window sizes and stream priorities, it can force the server to queue the data in 1-byte chunks. Vulnerable versions of nginx store these 1-byte chunks in a linear list which contains up-to 100-million entries and becomes computationally expensive to process. By consuming a large amount of CPU processing this list, a CPU-based denial-of-service can be achieved.

CVE-2019-9512 - Ping Flood

A client will send continual HTTP/2 pings to the server, which internally queues up responses - 1 for each incoming ping. In some implementations (i.e. Go), there is no bound placed on the queue so it is possible to exhaust available memory as a result which therefore results in a memory-based denial-of-service.

CVE-2019-9513 - Resource Loop

For this attack, a client creates multiple request streams and then continues to modify the priorities of each stream to result in significant churn and, hence CPU work on the server. By consuming excess CPU, this can lead to a CPU-based denial-of-service.

CVE-2019-9514 - Reset Flood

By opening a large number of streams to the server and sending an invalid request over each, this solicits a correspondingly large number of RST_STREAM frames from the server. If these are queued without bound, or in a computationally inefficient manner, either a memory, or CPU-based denial-of-service can be achieved.

CVE-2019-9515 - Settings Flood

Similar to Ping Flood (CVE-2019-9512), by sending a stream of empty SETTINGS frames to the server (which as per the HTTP/2 specification is required to respond to each with a separate acknowledgement), a client can cause either a CPU or memory-based denial-of-service for the server.

CVE-2019-9516 - 0-Length Headers Leak

In this attack, a client will send a stream of headers with no actual data (ie. a 0-length header name and 0-length header value) which may be represented and stored in an allocation on the server whilst the session is open. This can result in a memory-based denial-of-service for the server.

CVE-2019-9517 - Internal Data Buffering

Closing the TCP window, whilst leaving the HTTP/2 window open, a client can cause the server to consume excess memory due to buffering of requested object which cannot actually be written to the client. This allows the client to cause either a memory or CPU-based denial-of-service for the server.

CVE-2019-9518 - Empty Frame Flooding

A client can send a stream of empty DATA (or other frames) but without setting the end-of-stream flag. As a result, the server will spend CPU time processing each frame which can result in a CPU-based denial-of-service (as the time spent processing each empty frame is disproportionate to the size of each frame).

Status

The following table provides a summary of which packages are affected by which vulnerability (for full details please consult the linked entry in the Ubuntu CVE Tracker). Y = affected, N = not affected, an empty field corresponds to an unknown status.

Source Package

CVE-2019-9511

CVE-2019-9512

CVE-2019-9513

CVE-2019-9514

CVE-2019-9515

CVE-2019-9516

CVE-2019-9517

CVE-2019-9518

apache2

N

N

N

N

N

Y

golang-1.x

N

Y

N

Y

N

N

N

N

nghttp2

Y

N

Y

N

N

N

N

nginx

Y

N

Y

N

N

Y

N

N

twisted

N

Y

N

Y

N

N

N

Mitigations

HTTP/2 support is not enabled by default for either apache2 or nginx in Ubuntu, so only sites which have specifically enabled this feature via a specific configuration change are affected.

Updates

Updated packages for apache2 and nghttp2 are expected to be available soon after the coordinated release date (CRD) of 5pm UTC on the 13th of August, 2019. Due to the unavailability of patches prior to the CRD for nginx, golang and twisted, these updates are expected to take longer to prepare and so will likely only be available 24 hours or more after the CRD. Note, these are only estimates and as more specific details are known regarding the availability of patches for these packages, this article will be updated.

Timeline

  • 2019 May 07: The Ubuntu Security Team is notified privately
  • 2019 Aug 13: The issue becomes public at the coordinated release date

SecurityTeam/KnowledgeBase/http2 (last edited 2019-08-14 00:03:22 by alexmurray)