http2
HTTP/2 Denial of Service Vulnerabilities
CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518 Jonathan Looney of Netflix discovered that a number HTTP/2 implementations contained algorithmic inefficiencies, and did not apply appropriate limits to various resources. As a result, a remote attacker could cause a denial of service against the affected HTTP/2 implementation by issuing certain sequences of requests.
For the separate attacks described, 7 CVEs were assigned, each of which affect a variety of different software packages provided in Ubuntu:
- CVE-2019-9511 Data Dribble
- CVE-2019-9512 Ping Flood
- CVE-2019-9513 Resource Loop
- CVE-2019-9514 Reset Flood
- CVE-2019-9515 Settings Flood
- CVE-2019-9516 0-Length Headers Leak
- CVE-2019-9517 Internal Data Buffering
Piotr Sikora of Google subsequently discovered a related vulnerability in Netty:
- CVE-2019-9518 Empty Frame Flooding
- CVE-2019-9511 - Data Dribble
In this attack, a client will request 1MB of data from the server over 100 streams, for a total request of 100MB. By manipulating window sizes and stream priorities, it can force the server to queue the data in 1-byte chunks. Vulnerable versions of nginx store these 1-byte chunks in a linear list which contains up-to 100-million entries and becomes computationally expensive to process. By consuming a large amount of CPU processing this list, a CPU-based denial-of-service can be achieved.
CVE-2019-9512 - Ping Flood A client will send continual HTTP/2 pings to the server, which internally queues up responses - 1 for each incoming ping. In some implementations (i.e. Go), there is no bound placed on the queue so it is possible to exhaust available memory as a result which therefore results in a memory-based denial-of-service.
CVE-2019-9513 - Resource Loop For this attack, a client creates multiple request streams and then continues to modify the priorities of each stream to result in significant churn and, hence CPU work on the server. By consuming excess CPU, this can lead to a CPU-based denial-of-service.
CVE-2019-9514 - Reset Flood By opening a large number of streams to the server and sending an invalid request over each, this solicits a correspondingly large number of RST_STREAM frames from the server. If these are queued without bound, or in a computationally inefficient manner, either a memory, or CPU-based denial-of-service can be achieved.
'CVE-2019-9515 - Settings Flood Similar to Ping Flood (CVE-2019-9512), by sending a stream of empty SETTINGS frames to the server (which as per the HTTP/2 specification is required to respond to each with a separate acknowledgement), a client can cause either a CPU or memory-based denial-of-service for the server.
CVE-2019-9516 - 0-Length Headers Leak In this attack, a client will send a stream of headers with no actual data (ie. a 0-length header name and 0-length header value) which may be represented and stored in an allocation on the server whilst the session is open. This can result in a memory-based denial-of-service for the server.
CVE-2019-9517 - Internal Data Buffering Closing the TCP window, whilst leaving the HTTP/2 window open, a client can cause the server to consume excess memory due to buffering of requested object which cannot actually be written to the client. This allows the client to cause either a memory or CPU-based denial-of-service for the server.
CVE-2019-9518 - Empty Frame Flooding A client can send a stream of empty DATA (or other frames) but without setting the end-of-stream flag. As a result, the server will spend CPU time processing each frame which can result in a CPU-based denial-of-service (as the time spent processing each empty frame is disproportionate to the size of each frame). Status
The following table provides a summary of which packages are affected by which vulnerability (for full details please consult the linked entry in the Ubuntu CVE Tracker). Y = affected, N = not affected, an empty field corresponds to an unknown status.
Source Package |
CVE-2019-9511 |
CVE-2019-9512 |
CVE-2019-9513 |
CVE-2019-9514 |
CVE-2019-9515 |
CVE-2019-9516 |
CVE-2019-9517 |
CVE-2019-9518 |
apache2 |
N |
N |
N |
|
N |
N |
Y |
|
golang-1.x |
N |
Y |
N |
Y |
N |
N |
N |
N |
nghttp2 |
Y |
N |
Y |
N |
N |
N |
N |
|
nginx |
Y |
N |
Y |
N |
N |
Y |
N |
N |
twisted |
N |
Y |
N |
Y |
|
N |
N |
N |
Mitigations
HTTP/2 support is not enabled by default for either apache2 or nginx in Ubuntu, so only sites which have specifically enabled this feature via a specific configuration change are affected.
Updates
Updated packages for apache2 and nghttp2 are expected to be available soon after the coordinated release date (CRD) of 5pm UTC on the 7th of May, 2019. Due to the unavailability of patches prior to the CRD for nginx, golang and twisted, these updates are expected to take longer to prepare and so will likely only be available 24 hours or more after the CRD. Note, these are only estimates and as more specific details are known regarding the availability of patches for these packages, this article will be updated.
Timeline
2019 May 07: The Ubuntu Security Team is notified privately 2019 Aug 13: The issue becomes public at the coordinated release date