Allele Security Alert
ASA-2019-00519
Identifier(s)
ASA-2019-00519, CVE-2019-9513
Title
Excessive CPU usage in HTTP/2 with priority changes
Vendor(s)
NGINX, Inc
Product(s)
nginx
Affected version(s)
nginx versions since 1.9.5 up to and including 1.17.2
Fixed version(s)
nginx version 1.17.3
nginx version 1.16.1
Proof of concept
Unknown
Description
Several security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).
The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the “http2” option of the “listen” directive is used in a configuration file.
Technical details
The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
Credits
Jonathan Looney (Netflix)
Reference(s)
nginx security advisories
https://nginx.org/en/security_advisories.html
[nginx-announce] nginx security advisory (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516)
https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html
HTTP/2 Denial of Service Advisory
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
NGINX Updates Mitigate the August 2019 HTTP/2 Vulnerabilities
https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/
HTTP/2: limited number of PRIORITY frames.
https://hg.nginx.org/nginx/rev/45415228990b
Bug 1735741 (CVE-2019-9513) – CVE-2019-9513 HTTP/2: flood using PRIORITY frames resulting in excessive resource consumption
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-9513
CVE-2019-9513 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-9513
CVE-2019-9513
https://security-tracker.debian.org/tracker/CVE-2019-9513
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9513.html
CVE-2019-9513 | SUSE
https://www.suse.com/security/cve/CVE-2019-9513
CVE-2019-9513
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513
CVE-2019-9513
https://nvd.nist.gov/vuln/detail/CVE-2019-9513
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 25, 2019