SB2019081551 - Resource management error in h2o (Alpine package)
Published: August 15, 2019
Security Bulletin ID
SB2019081551
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Resource management error (CVE-ID: CVE-2019-9515)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an error in HTTP/2 implementation when processing SETTINGS frames. A remote attacker can send a huge amount of SETTINGS frames to the peer and consume excessive CPU and memory on the system.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=c64d2552678a7126d5e1d18ac54ea0ee126298d9
- https://git.alpinelinux.org/aports/commit/?id=66b8ef9e1229d1630c160b9d6f89f315ad87acf9
- https://git.alpinelinux.org/aports/commit/?id=e59ae1cbadc31c59b3c6e298b697e299c6b59619
- https://git.alpinelinux.org/aports/commit/?id=441f8caf531eb82a234cf26ea4e64b4c4a4e7e1c
- https://git.alpinelinux.org/aports/commit/?id=3b2d519d19eed612aeaf0a62ee9003e23cbe7c2f
- https://git.alpinelinux.org/aports/commit/?id=e78ee5b73add9d52cfb312a9c213b1d6c251c17d
- https://git.alpinelinux.org/aports/commit/?id=285aeb8918cb76686f52211af1794c956dfac76e
- https://git.alpinelinux.org/aports/commit/?id=3ee31e5e22ef95dc3bd1bdce9cee66e8e2d03bb3
- https://git.alpinelinux.org/aports/commit/?id=cb9fd96b70026019c51ea38d29e4ec96ba003140
- https://git.alpinelinux.org/aports/commit/?id=578c97338a5cc6615df123d2759ef349dbf88c2c
- https://git.alpinelinux.org/aports/commit/?id=75cc679dead3d9b8aebb82a11c1f81a4eaaab853
- https://git.alpinelinux.org/aports/commit/?id=7149c919df587e3f9125fdac8bc2ccd4952027e3
- https://git.alpinelinux.org/aports/commit/?id=1e6f9b4d3f2d989dbba7b17640b425da9f8b86a0