Lucene search

K
redhatcveRedhat.comRH:CVE-2019-9517
HistoryMar 21, 2021 - 12:51 a.m.

CVE-2019-9517

2021-03-2100:51:26
redhat.com
access.redhat.com
35
http/2
denial of service
vulnerability
mitigation
red hat enterprise linux 8

EPSS

0.035

Percentile

91.7%

A vulnerability was found in HTTP/2. An attacker can open a HTTP/2 window so the peer can send without constraint. The TCP window remains closed so the peer cannot write the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the server’s queue is setup, the responses can consume excess memory, CPU, or both, potentially leading to a denial of service. The highest threat from this vulnerability is to system availability.

Mitigation

The httpd version shipped with Red Hat Enterprise Linux 8 provides HTTP/2 support through mod_http2 package. While mod_http2 package is not updated, users can disable HTTP/2 support as mitigation action by executing the following steps:

1. Stop httpd service:
$ systemctl stop httpd

2. Remove http/2 protocol support from configuration files:
$ sed -i 's/\(h2\)|\(h2c\)//g' <httpd_config_file>

3. Validate configuration files to make sure all syntax is valid:
$ apachectl configtest

4. Restart httpd service:
$ systemctl start httpd