httpd:2.4 security update

2.4.37-43.0.3.3 - Resolves: CVE-2021-33193 a crafted method sent through HTTP/2 will bypass validation Orabug: 33942809...

CVE-2022-1259

A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server...

Ubuntu 18.04 LTS / 20.04 LTS : Tomcat vulnerabilities (USN-5360-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5360-1 advisory. It was discovered that Tomcat incorrectly performed input verification. A remote attacker could possibly use this issue to intercept sensitiv...

Ubuntu: Security Advisory (USN-5313-2)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

USN-5313-2: OpenJDK 11 regression

USN-5313-1 fixed vulnerabilities and added features in OpenJDK. Unfortunately, that update introduced a regression in OpenJDK 11 that could impact interoperability with some popular HTTP/2 servers making it unable to connect to said servers. This update fixes the problem. We apologize for the...

EulerOS 2.0 SP8 : golang (EulerOS-SA-2022-1345)

According to the versions of the golang packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2...

Security Bulletin: Vulnerabilities in Node.js affect IBM Spectrum Control (CVE-2020-8172, CVE-2020-8174, CVE-2020-11080)

Summary Node.js is vulnerable to a denial of service or could allow a remote attacker to bypass security restrictions. These vulnerabilities may affect IBM Spectrum Control. Vulnerability Details CVEID: CVE-2020-8172 DESCRIPTION: Node.js could allow a remote attacker to bypass security...

java-11-openjdk bug fix and enhancement update

The java-11-openjdk packages provide the OpenJDK 11 Java Runtime Environment and the OpenJDK 11 Java Software Development Kit. Bug Fixes: The previous OpenJDK 11 release, 11.0.14, was found to contain a regression introduced by improvements to the HTTP client. It caused both the :authority' and...

HTTP/2 DoS Attacks: Ping, Reset, and Settings Floods

Impact Twisted web servers that utilize the optional HTTP/2 support suffer from the following flow-control related vulnerabilities: Ping flood: https://vulners.com/cve/CVE-2019-9512 Reset flood: https://vulners.com/cve/CVE-2019-9514 Settings flood: https://vulners.com/cve/CVE-2019-9515 A Twisted...

GHSA-32GV-6CF3-WCMQ HTTP/2 DoS Attacks: Ping, Reset, and Settings Floods

Impact Twisted web servers that utilize the optional HTTP/2 support suffer from the following flow-control related vulnerabilities: Ping flood: https://vulners.com/cve/CVE-2019-9512 Reset flood: https://vulners.com/cve/CVE-2019-9514 Settings flood: https://vulners.com/cve/CVE-2019-9515 A Twisted...

Denial Of Service (DoS)

github.com/apple/swift-nio-http2 is vulnerable to denial of service. A remote attacker can cause a logical error when parsing HTTP/2 HEADERS or HTTP/2 PUSHPROMISE frames, causing the entire process to crash, resulting in a denial of service conditions...

CVE-2022-0618

A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS or HTTP/2 PUSHPROMISE frame where the frame contains padding information...

Design/Logic Flaw

A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS or HTTP/2 PUSHPROMISE frame where the frame contains padding information...

CVE-2022-0618

A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. This vulnerability is caused by a logical error when parsing a HTTP/2 HEADERS or HTTP/2 PUSHPROMISE frame where the frame contains padding information...

CVE-2022-0618

CVE-2022-0618 affects the swift-nio-http2 project. A logical error in parsing HTTP/2 HEADERS and PUSH_PROMISE frames containing only padding information can cause a parsing failure, crashing the process and harming availability. The issue affects swift-nio-http2 versions 1.0.0 through 1.19.2 and ...

Debian DSA-5088-1 : varnish - security update

The remote Debian 10 / 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5088 advisory. - Varnish Cache, with HTTP/2 enabled, allows request smuggling and VCL authorization bypass via a large Content-Length header for a POST request. This affect...

[SECURITY] [DSA 5088-1] varnish security update

------------------------------------------------------------------------- Debian Security Advisory DSA-5088-1 [email protected] https://www.debian.org/security/ Florian Weimer March 03, 2022 https://www.debian.org/security/faq -...

openSUSE 15 Security Update : envoy-proxy (openSUSE-SU-2022:0065-1)

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:0065-1 advisory. - Envoy version 1.14.2, 1.13.2, 1.12.4 or earlier may consume excessive amounts of memory when proxying HTTP/2 requests or responses with...

Envoy Resource Management Error Vulnerability (CNVD-2022-15542)

Envoy is an open source distributed proxy server. Envoy is vulnerable to a resource management error that occurs when configuring "envoyv3apifieldextensions.filters.network.tcpproxy.v3. tunnelingconfig" crashes and the downstream connection is disconnected while the upstream connection or http/2...

Security Bulletin: Netty vulnerabilities affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2019-9514, CVE-2019-9512, CVE-2019-9518, CVE-2019-9515)

Summary Netty denial of service vulnerabilities affect IBM Spectrum Control formerly Tivoli Storage Productivity Center. Vulnerability Details CVEID: CVE-2019-9514 DESCRIPTION: Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker...