Allele Security Alert
ASA-2019-00521, CVE-2019-9512, CVE-2019-9514
Denial of Service vulnerabilities in the HTTP/2 implementation
Cloud Native Computing Foundation
All versions of Go
All versions of Kubernetes
Go version 1.12.8
Go version 1.11.13
Kubernetes version v1.15.3
Kubernetes version v1.14.6
Kubernetes version v1.13.10
Proof of concept
net/http and golang.org/x/net/http2 servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes.
The first issue allows an attacker to send continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
The second issue allows an attacker to open a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
Jonathan Looney (Netflix)
HTTP/2 Denial of Service Advisory
[security] Go 1.12.8 and Go 1.11.13 are released
net/http, x/net/http2: Denial of Service vulnerabilities in the HTTP/2 implementation #33606
[ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 – CVE-2019-9512 and CVE-2019-9514
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 2, 2019