Allele Security Alert
ASA-2019-00520
Identifier(s)
ASA-2019-00520, CVE-2019-9516
Title
Excessive memory usage in HTTP/2 with zero length headers
Vendor(s)
NGINX, Inc
Product(s)
nginx
Affected version(s)
nginx versions since 1.9.5 up to and including 1.17.2
Fixed version(s)
nginx version 1.17.3
nginx version 1.16.1
Proof of concept
Unknown
Description
Several security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).
The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the “http2” option of the “listen” directive is used in a configuration file.
Technical details
The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
Credits
Jonathan Looney (Netflix)
Reference(s)
nginx security advisories
https://nginx.org/en/security_advisories.html
[nginx-announce] nginx security advisory (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516)
https://mailman.nginx.org/pipermail/nginx-announce/2019/000249.html
HTTP/2 Denial of Service Advisory
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
Bug 1741864 (CVE-2019-9516) – CVE-2019-9516 HTTP/2: 0-length headers leads to denial of service [NEEDINFO]
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-9516
NGINX Updates Mitigate the August 2019 HTTP/2 Vulnerabilities
https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/
HTTP/2: reject zero length headers with PROTOCOL_ERROR.
https://hg.nginx.org/nginx/rev/4f4b83f00cf1
CVE-2019-9516 - Red Hat Customer Portal
https://access.redhat.com/security/cve/CVE-2019-9516
CVE-2019-9516
https://security-tracker.debian.org/tracker/CVE-2019-9516
https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9516.html
CVE-2019-9516 | SUSE
https://www.suse.com/security/cve/CVE-2019-9516
CVE-2019-9516
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516
CVE-2019-9516
https://nvd.nist.gov/vuln/detail/CVE-2019-9516
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 25, 2019