ASA-2019-00521 – Go, Kubernetes: Denial of Service vulnerabilities in the HTTP/2 implementation


Allele Security Alert

ASA-2019-00521

Identifier(s)

ASA-2019-00521, CVE-2019-9512, CVE-2019-9514

Title

Denial of Service vulnerabilities in the HTTP/2 implementation

Vendor(s)

Google

Cloud Native Computing Foundation

Product(s)

Go

Kubernetes

Affected version(s)

All versions of Go

All versions of Kubernetes

Fixed version(s)

Go version 1.12.8
Go version 1.11.13

Kubernetes version v1.15.3
Kubernetes version v1.14.6
Kubernetes version v1.13.10

Proof of concept

Unknown

Description

net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes.

Technical details

The first issue allows an attacker to send continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.

The second issue allows an attacker to open a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.

Credits

Jonathan Looney (Netflix)

Reference(s)

HTTP/2 Denial of Service Advisory
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

[security] Go 1.12.8 and Go 1.11.13 are released
https://groups.google.com/forum/#!msg/golang-announce/65QixT3tcmg/DrFiG6vvCwAJ

net/http, x/net/http2: Denial of Service vulnerabilities in the HTTP/2 implementation #33606
https://github.com/golang/go/issues/33606

[ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 – CVE-2019-9512 and CVE-2019-9514
https://seclists.org/oss-sec/2019/q3/145

CVE-2019-9512
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512

CVE-2019-9512
https://nvd.nist.gov/vuln/detail/CVE-2019-9512

CVE-2019-9514
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514

CVE-2019-9514
https://nvd.nist.gov/vuln/detail/CVE-2019-9514

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 2, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.