Allele Security Alert
ASA-2019-00521
Identifier(s)
ASA-2019-00521, CVE-2019-9512, CVE-2019-9514
Title
Denial of Service vulnerabilities in the HTTP/2 implementation
Vendor(s)
Cloud Native Computing Foundation
Product(s)
Go
Kubernetes
Affected version(s)
All versions of Go
All versions of Kubernetes
Fixed version(s)
Go version 1.12.8
Go version 1.11.13
Kubernetes version v1.15.3
Kubernetes version v1.14.6
Kubernetes version v1.13.10
Proof of concept
Unknown
Description
net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes.
Technical details
The first issue allows an attacker to send continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
The second issue allows an attacker to open a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
Credits
Jonathan Looney (Netflix)
Reference(s)
HTTP/2 Denial of Service Advisory
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
[security] Go 1.12.8 and Go 1.11.13 are released
https://groups.google.com/forum/#!msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ
net/http, x/net/http2: Denial of Service vulnerabilities in the HTTP/2 implementation #33606
https://github.com/golang/go/issues/33606
[ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 – CVE-2019-9512 and CVE-2019-9514
https://seclists.org/oss-sec/2019/q3/145
CVE-2019-9512
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512
CVE-2019-9512
https://nvd.nist.gov/vuln/detail/CVE-2019-9512
CVE-2019-9514
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514
CVE-2019-9514
https://nvd.nist.gov/vuln/detail/CVE-2019-9514
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 2, 2019