SB2019081378 - Resource exhaustion in nginx (Alpine package)
Published: August 13, 2019
Security Bulletin ID
SB2019081378
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Resource exhaustion (CVE-ID: CVE-2019-9516)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when processing HTTP/2 requests within the ngx_http_v2_module module. A remote attacker can send a specially crafted HTTP/2 request the affected server, consume all available CPU resources and perform a denial of service (DoS) attack.
Successful exploitation of the vulnerability requires that support for HTTP/2 is enabled.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=578c97338a5cc6615df123d2759ef349dbf88c2c
- https://git.alpinelinux.org/aports/commit/?id=75cc679dead3d9b8aebb82a11c1f81a4eaaab853
- https://git.alpinelinux.org/aports/commit/?id=7149c919df587e3f9125fdac8bc2ccd4952027e3
- https://git.alpinelinux.org/aports/commit/?id=181112be362642a3beea5c67e21985f3364b7b23
- https://git.alpinelinux.org/aports/commit/?id=6e8dc30ce258648d95eb57892b407d0ae7b72981
- https://git.alpinelinux.org/aports/commit/?id=cbfc890c785c113b462f0cb5bbbe873503b00c9f
- https://git.alpinelinux.org/aports/commit/?id=45003dac9059e38b73687135bba6c67874b992a2