SB2019081549 - Resource management error in containerd (Alpine package)

Description

This security bulletin contains information about 1 vulnerability.

1) Resource management error (CVE-ID: CVE-2019-9515)

CWE-ID: CWE-399 - Resource Management Errors

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error in HTTP/2 implementation when processing SETTINGS frames. A remote attacker can send a huge amount of  SETTINGS frames to the peer and consume excessive CPU and memory on the system.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=c64d2552678a7126d5e1d18ac54ea0ee126298d9
• https://git.alpinelinux.org/aports/commit/?id=66b8ef9e1229d1630c160b9d6f89f315ad87acf9
• https://git.alpinelinux.org/aports/commit/?id=e59ae1cbadc31c59b3c6e298b697e299c6b59619
• https://git.alpinelinux.org/aports/commit/?id=441f8caf531eb82a234cf26ea4e64b4c4a4e7e1c
• https://git.alpinelinux.org/aports/commit/?id=3b2d519d19eed612aeaf0a62ee9003e23cbe7c2f
• https://git.alpinelinux.org/aports/commit/?id=e78ee5b73add9d52cfb312a9c213b1d6c251c17d
• https://git.alpinelinux.org/aports/commit/?id=285aeb8918cb76686f52211af1794c956dfac76e
• https://git.alpinelinux.org/aports/commit/?id=3ee31e5e22ef95dc3bd1bdce9cee66e8e2d03bb3
• https://git.alpinelinux.org/aports/commit/?id=cb9fd96b70026019c51ea38d29e4ec96ba003140
• https://git.alpinelinux.org/aports/commit/?id=578c97338a5cc6615df123d2759ef349dbf88c2c
• https://git.alpinelinux.org/aports/commit/?id=75cc679dead3d9b8aebb82a11c1f81a4eaaab853
• https://git.alpinelinux.org/aports/commit/?id=7149c919df587e3f9125fdac8bc2ccd4952027e3
• https://git.alpinelinux.org/aports/commit/?id=1e6f9b4d3f2d989dbba7b17640b425da9f8b86a0