Security Bulletin: Multiple vulnerabilities in HTTP/2 implementation used by WebSphere Application Server Liberty

Summary

There are multiple vulnerabilities in the HTTP/2 implementation that is used by WebSphere Application Server Liberty. This affects the servlet-4.0 and servlet-3.1 features. These vulnerabilities have been addressed.

Vulnerability Details

CVEID: CVE-2019-9518 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by a Empty Frame Flooding attack. By sending a stream of frames with an empty payload and without the end-of-stream flag, a remote attacker could consume excessive CPU resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/164904&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-9517 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by an Internal Data Buffering attack. By opening the HTTP/2 window so the peer can send without constraint and sending a stream of requests for a large response object, a remote attacker could consume excessive CPU resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/165183&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-9515 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by a Settings Flood attack. By sending a stream of SETTINGS frames to the peer, a remote attacker could consume excessive CPU resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/165181&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-9514 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by a Reset Flood attack. By opening a number of streams and sending an invalid request over each stream, a remote attacker could consume excessive CPU resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/164640&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-9513 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by a Resource Loop attack. By creating multiple request streams and continually shuffling the priority of the streams, a remote attacker could consume excessive CPU resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/164639&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-9512 DESCRIPTION: Multiple vendors are vulnerable to a denial of service, caused by a Ping Flood attack. By sending continual pings to an HTTP/2 peer, a remote attacker could consume excessive CPU resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/164903&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

These vulnerabilities affect the following versions and releases of IBM WebSphere Application Server:

• Liberty 18.0.0.2 - 19.0.0.9

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF containing the APAR for each named product as soon as practical.

For WebSphere Application Server Libertyusing servlet-4.0 or servlet-3.1 feature:

· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH16611
--OR–
· Apply Fix Pack 19.0.0.10 or later (targeted availability 4Q2019).

Additional interim fixes may be available and linked off the interim fix download page.