SB2019093017 - Red Hat update for nodejs:10
Published: September 30, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 8 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2019-9511)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when processing HTTP/2 requests. A remote attacker can send a specially crafted HTTP/2 request the affected server, consume all available CPU resources and perform a denial of service (DoS) attack.
Successful exploitation of the vulnerability requires that support for HTTP/2 is enabled.
2) Resource exhaustion (CVE-ID: CVE-2019-9512)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of user-supplied input when processing HTTP/2 requests. A remote attacker can send specially crafted HTTP packets to the affected system trigger resource exhaustion and perform a denial of service (DoS) attack.
3) Resource exhaustion (CVE-ID: CVE-2019-9513)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when processing HTTP/2 requests. A remote attacker can send a specially crafted HTTP/2 request the affected server, consume all available CPU resources and perform a denial of service (DoS) attack.
Successful exploitation of the vulnerability requires that support for HTTP/2 is enabled.
4) Resource exhaustion (CVE-ID: CVE-2019-9514)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of user-supplied input when processing HTTP/2 requests. A remote attacker can send specially crafted HTTP packets to the affected system trigger resource exhaustion and perform a denial of service (DoS) attack.
5) Resource management error (CVE-ID: CVE-2019-9515)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an error in HTTP/2 implementation when processing SETTINGS frames. A remote attacker can send a huge amount of SETTINGS frames to the peer and consume excessive CPU and memory on the system.
6) Resource exhaustion (CVE-ID: CVE-2019-9516)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when processing HTTP/2 requests within the ngx_http_v2_module module. A remote attacker can send a specially crafted HTTP/2 request the affected server, consume all available CPU resources and perform a denial of service (DoS) attack.
Successful exploitation of the vulnerability requires that support for HTTP/2 is enabled.
7) Resource management error (CVE-ID: CVE-2019-9517)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect implementation of HTTP/2 protocol. A remote attacker can open the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.8) Resource exhaustion (CVE-ID: CVE-2019-9518)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper validation of user-supplied input within the HTTP.sys driver when processing HTTP/2 requests. A remote attacker can send specially crafted HTTP packets to the affected system trigger resource exhaustion and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.