Resource exhaustion in containerd (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-9514 |
| CWE-ID | CWE-400 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
containerd (Alpine package) Operating systems & Components / Operating system package or component go (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Resource exhaustion
EUVDB-ID: #VU20201
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-9514
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of user-supplied input when processing HTTP/2 requests. A remote attacker can send specially crafted HTTP packets to the affected system trigger resource exhaustion and perform a denial of service (DoS) attack.
Mitigation
Install update from vendor's website.
Vulnerable software versionscontainerd (Alpine package): 1.2.2-r0 - 1.3.2-r1
go (Alpine package): 1.12.6-r0 - 1.12.7-r0
CPE2.3- cpe:2.3:o:alpine:containerd_alpine_package:1.2.2-r0:*:*:*:*:alpine_linux:*:3.9
- cpe:2.3:o:alpine:containerd_alpine_package:1.2.3-r0:*:*:*:*:alpine_linux:*:3.9
- cpe:2.3:o:alpine:containerd_alpine_package:1.2.4-r0:*:*:*:*:alpine_linux:*:3.9
- cpe:2.3:o:alpine:go_alpine_package:1.12.6-r0:*:*:*:*:alpine_linux:*:3.9
- cpe:2.3:o:alpine:go_alpine_package:1.12.7-r0:*:*:*:*:alpine_linux:*:3.10
https://git.alpinelinux.org/aports/commit/?id=573b7537c7e1ab2732007a1d026a913613ca2d03
https://git.alpinelinux.org/aports/commit/?id=17caf1ca31bcf51f92d7f466d287824869ec3f25
https://git.alpinelinux.org/aports/commit/?id=c64d2552678a7126d5e1d18ac54ea0ee126298d9
https://git.alpinelinux.org/aports/commit/?id=66b8ef9e1229d1630c160b9d6f89f315ad87acf9
https://git.alpinelinux.org/aports/commit/?id=e59ae1cbadc31c59b3c6e298b697e299c6b59619
https://git.alpinelinux.org/aports/commit/?id=441f8caf531eb82a234cf26ea4e64b4c4a4e7e1c
https://git.alpinelinux.org/aports/commit/?id=3b2d519d19eed612aeaf0a62ee9003e23cbe7c2f
https://git.alpinelinux.org/aports/commit/?id=e78ee5b73add9d52cfb312a9c213b1d6c251c17d
https://git.alpinelinux.org/aports/commit/?id=2385a012d144e1dc7aa8b52a81395f2835033100
https://git.alpinelinux.org/aports/commit/?id=285aeb8918cb76686f52211af1794c956dfac76e
https://git.alpinelinux.org/aports/commit/?id=971e4b11222464f77b1bb47c32f4f1c83cd89d86
https://git.alpinelinux.org/aports/commit/?id=2aa8f8a3facf89896330b6847713de7d92b4196a
https://git.alpinelinux.org/aports/commit/?id=38693c8a17854105add7b52e2ed4bae410f59956
https://git.alpinelinux.org/aports/commit/?id=3ee31e5e22ef95dc3bd1bdce9cee66e8e2d03bb3
https://git.alpinelinux.org/aports/commit/?id=cb9fd96b70026019c51ea38d29e4ec96ba003140
https://git.alpinelinux.org/aports/commit/?id=578c97338a5cc6615df123d2759ef349dbf88c2c
https://git.alpinelinux.org/aports/commit/?id=75cc679dead3d9b8aebb82a11c1f81a4eaaab853
https://git.alpinelinux.org/aports/commit/?id=7149c919df587e3f9125fdac8bc2ccd4952027e3
https://git.alpinelinux.org/aports/commit/?id=bd54fcf2e09d34cda999f394893d8d0fa9b52a64
https://git.alpinelinux.org/aports/commit/?id=942628e1aaa207afc5f6dd052632a11b6426ce49
https://git.alpinelinux.org/aports/commit/?id=1e6f9b4d3f2d989dbba7b17640b425da9f8b86a0
https://git.alpinelinux.org/aports/commit/?id=27f348ba847da969ec1809cfd6d4f76455fc5405
https://git.alpinelinux.org/aports/commit/?id=f4894bf9bd05edccdac484db35c4d6fb06a3b26c
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
