HTTP2 insecure DDOS

4 posts / 0 new
Last post
#1 Wed, 08/14/2019 - 19:38
Wed, 08/14/2019 - 21:31
andreychek

Howdy,

Note that it does not appear that any of the Virtualmin supported distros are affected.

-Eric

Thu, 08/15/2019 - 03:19 (Reply to #2)
Jfro

OK

Apache update depending on distro or repo: http://www.apache.org/dist/httpd/CHANGES_2.4.41

UBUNTU is affected but status unknown?

https://www.kb.cert.org/vuls/id/605641/#CHEU-BETT93

You can scroll there to see vendors an status, sorry i can not know who has wich repo / distro / aplication.

Take care while lot of Vendors has for yes no affected status unknown! for now Date Last Updated: 2019-08-14 21:20 UTC

Unaffected only 2 Vendors other or Affected or status unknown!

Debian status and affected both unknown: https://www.kb.cert.org/vuls/id/605641/#CHEU-BETT93

Red Hat status and affected both unknown: https://www.kb.cert.org/vuls/id/605641/#CHEU-BETT93

OpenSSL status and affected both unknown: https://www.kb.cert.org/vuls/id/605641/#CHEU-BETT93

For those who are running on NAs Synology see here https://www.synology.com/nl-nl/security/advisory/Synology_SA_19_33


Status    Ongoing
Thu, 08/15/2019 - 03:49
Jfro

So i can't say myself yes or no, while lot of unknown sofar i can find however if you read the apache change log. then??

Changes with Apache 2.4.41

  *) SECURITY: CVE-2019-10081 (cve.mitre.org)
     mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource",
     could lead to an overwrite of memory in the pushing request's pool,
     leading to crashes. The memory copied is that of the configured push
     link header values, not data supplied by the client. [Stefan Eissing]

  *) SECURITY: CVE-2019-9517 (cve.mitre.org)
     mod_http2: a malicious client could perform a DoS attack by flooding
     a connection with requests and basically never reading responses
     on the TCP connection. Depending on h2 worker dimensioning, it was
     possible to block those with relatively few connections. [Stefan Eissing]

  *) SECURITY: CVE-2019-10098 (cve.mitre.org)
     rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable
     matches and substitutions with encoded line break characters.
     [Yann Ylavic]

  *) SECURITY: CVE-2019-10092 (cve.mitre.org)
     Remove HTML-escaped URLs from canned error responses to prevent misleading
     text/links being displayed via crafted links. [Eric Covener]

  *) SECURITY: CVE-2019-10097 (cve.mitre.org)
     mod_remoteip: Fix stack buffer overflow and NULL pointer deference
     when reading the PROXY protocol header.  [Joe Orton,
     Daniel McCarney <cpu letsencrypt.org>]

  *) SECURITY: CVE-2019-10082 (cve.mitre.org)
     mod_http2: Using fuzzed network input, the http/2 session
     handling could be made to read memory after being freed,
     during connection shutdown. [Stefan Eissing]

  *) mod_proxy_balancer: Improve balancer-manager protection against
     XSS/XSRF attacks from trusted users.  [Joe Orton,
     Niels Heinen <heinenn google.com>]

  *) mod_session: Introduce SessionExpiryUpdateInterval which allows to
     configure the session/cookie expiry's update interval. PR 57300.
     [Paul Spangler <paul.spangler ni.com>]

  *) modules/filters: Fix broken compilation when using old GCC (<4.2.x).
     PR 63633.  [Rainer Jung, Joe Orton]

  *) mod_ssl: Fix startup failure in 2.4.40 with SSLCertificateChainFile
     configured for a domain managed by mod_md.  [Stefan Eissing]

and for Nghttp2 v1.39.2 https://github.com/nghttp2/nghttp2/releases

NGINX https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vul...

2019-08-13 nginx-1.16.1 stable and nginx-1.17.3 mainline versions have been released, with fixes for vulnerabilities in HTTP/2 (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516).

Topic locked