[arch-security] [ASA-201602-13] nghttp2: denial of service
Arch Linux Security Advisory ASA-201602-13 ========================================== Severity: Low Date : 2016-02-13 CVE-ID : CVE-2016-1544 Package : nghttp2 Type : denial of service Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package nghttp2 before version 1.7.1-1 is vulnerable to denial of service. Resolution ========== Upgrade to 1.7.1-1. # pacman -Syu "nghttp2>=1.7.1-1" The problem has been fixed upstream in version 1.7.1. Workaround ========== None. Description =========== HTTP/2 uses HPACK to compress header fields. The basic idea is that HTTP header field is stored in the receiver with the numeric index number. The memory used by this storage is tightly constrained, and it is 4KiB by default. When sender sends the same header field, it just sends the corresponding numeric index number, which is usually 1 or 2 bytes. This means that after sender makes the receiver store the relatively large header field (e.g., 4KiB), and it can send specially crafted HEADERS/CONTINUATION frames which contain a lot of references to the stored header field, sender easily effectively send lots of big header fields to the receiver quite easily. nghttpd, nghttp, and libnghttp2_asio applications do not limit the memory usage for received header fields, so if the peer performs the procedure described above, they will crash due to out of memory. Impact ====== A remote attacker can cause an application using nghttp2 to allocate a lot of memory by sending specially crafted HTTP/2 frames, causing a denial of service. References ========== https://nghttp2.org/blog/2016/02/11/nghttp2-v1-7-1/ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1544
participants (1)
-
Remi Gacogne