Описание
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| nginx | fixed | 1.14.2-3 | package | |
| nginx | not-affected | jessie | package | |
| nodejs | fixed | 10.16.3~dfsg-1 | package | |
| nodejs | not-affected | stretch | package | |
| nodejs | not-affected | jessie | package | |
| nghttp2 | fixed | 1.39.2-1 | package | |
| nghttp2 | not-affected | jessie | package |
Примечания
https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/
https://github.com/nginx/nginx/commit/5ae726912654da10a9a81b2c8436829f3e94f69f (master)
https://github.com/nginx/nginx/commit/39bb3b9d4a33bd03c8ae0134dedc8a7700ae7b2b (release-1.16.1)
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/
https://github.com/nghttp2/nghttp2/releases/tag/v1.39.2
EPSS
Связанные уязвимости
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.
EPSS