Who has the fastest F1 website in 2021? Part 7

This is part 7 in a multi-part series looking at the loading performance of F1 websites. Not interested in F1? It shouldn't matter. This is just a performance review of 10 recently-built/updated sites that have broadly the same goal, but are built by different teams, and have different performanc...

Amazon Linux AMI : tomcat7 (ALAS-2021-1493)

The version of tomcat7 installed on the remote host is prior to 7.0.108-1.40. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2021-1493 advisory. A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker...

CVE-2021-28165

When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large greater than 17408 TLS frame that is incorrectly handled, causing high CPU resources utilization. The highest threat from this vulnerability is to service availability...

CVE-2021-22999

On versions 15.0.x before 15.1.0 and 14.1.x before 14.1.4, the BIG-IP system provides an option to connect HTTP/2 clients to HTTP/1.x servers. When a client is slow to accept responses and it closes a connection prematurely, the BIG-IP system may indefinitely retain some streams unclosed. Note:...

CVE-2021-22999

On versions 15.0.x before 15.1.0 and 14.1.x before 14.1.4, the BIG-IP system provides an option to connect HTTP/2 clients to HTTP/1.x servers. When a client is slow to accept responses and it closes a connection prematurely, the BIG-IP system may indefinitely retain some streams unclosed. Note:...

Code injection

On versions 15.0.x before 15.1.0 and 14.1.x before 14.1.4, the BIG-IP system provides an option to connect HTTP/2 clients to HTTP/1.x servers. When a client is slow to accept responses and it closes a connection prematurely, the BIG-IP system may indefinitely retain some streams unclosed. Note:...

CVE-2021-22999

CVE-2021-22999 affects BIG-IP HTTP/2 profiles: when an HTTP/2 client closes a slow connection, the system may indefinitely retain streams, causing a memory leak and potential DoS. Affected versions include 15.0.x before 15.1.0 and 14.1.x before 14.1.4; remediation involves upgrading to non‑vulner...

Moderate: Red Hat Security Advisory: Red Hat build of Eclipse Vert.x 4.0.3 security update

An update is now available for Red Hat build of Eclipse Vert.x. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability. For more...

CVE-2021-21409

A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The...

CVE-2021-21409

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty io.netty:netty-codec-http2 before version 4.1.61.Final there is a vulnerability that enables request smuggling. The...

Possible request smuggling in HTTP/2 due missing validation of content-length

Impact The content-length header is not correctly validated if the request only use a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1 This is a followup of...

CVE-2021-21409 Possible request smuggling in HTTP/2 due missing validation of content-length

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty io.netty:netty-codec-http2 before version 4.1.61.Final there is a vulnerability that enables request smuggling. The...

openSUSE Security Update : nghttp2 (openSUSE-2021-468)

This update for nghttp2 fixes the following issues : - CVE-2020-11080: HTTP/2 Large Settings Frame DoS bsc1181358 This update was imported from the SUSE:SLE-15:Update update project. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from openSU...

SUSE SLES15 Security Update : nghttp2 (SUSE-SU-2021:0931-1)

This update for nghttp2 fixes the following issues : CVE-2020-11080: HTTP/2 Large Settings Frame DoS bsc1181358 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as...

SUSE SLED15 / SLES15 Security Update : nghttp2 (SUSE-SU-2021:0930-1)

This update for nghttp2 fixes the following issues : CVE-2020-11080: HTTP/2 Large Settings Frame DoS bsc1181358 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as...

SUSE SLES12 Security Update : nghttp2 (SUSE-SU-2021:0932-1) (Data Dribble) (Resource Loop)

This update for nghttp2 fixes the following issues : Security issues fixed : CVE-2020-11080: HTTP/2 Large Settings Frame DoS bsc1181358. CVE-2019-9513: Fixed HTTP/2 implementation that is vulnerable to resource loops, potentially leading to a denial of service bsc1146184. CVE-2019-9511: Fixed...

OPENSUSE-SU-2021:0468-1 Security update for nghttp2

This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS bsc1181358 This update was imported from the SUSE:SLE-15:Update update project...

Security update for nghttp2 (important)

openSUSE Security Update: Security update for nghttp2 Announcement ID: openSUSE-SU-2021:0468-1 Rating: important References: 1172442 1181358 Cross-References: CVE-2020-11080 CVSS scores: CVE-2020-11080 NVD : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2020-11080 SUSE: 7.5...

SUSE-SU-2021:0931-1 Security update for nghttp2

This update for nghttp2 fixes the following issues: - CVE-2020-11080: HTTP/2 Large Settings Frame DoS bsc1181358...

CVE-2019-9517

A vulnerability was found in HTTP/2. An attacker can open a HTTP/2 window so the peer can send without constraint. The TCP window remains closed so the peer cannot write the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the server's...