Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 5 |
CVE-ID | CVE-2016-1544 CVE-2018-1000168 CVE-2019-9511 CVE-2019-9513 CVE-2020-11080 |
CWE-ID | CWE-400 CWE-476 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software |
SUSE Linux Enterprise Server Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Operating systems & Components / Operating system SUSE OpenStack Cloud Crowbar Operating systems & Components / Operating system HPE Helion Openstack Operating systems & Components / Operating system SUSE OpenStack Cloud Operating systems & Components / Operating system nghttp2-debugsource Operating systems & Components / Operating system package or component nghttp2-debuginfo Operating systems & Components / Operating system package or component libnghttp2-14-debuginfo-32bit Operating systems & Components / Operating system package or component libnghttp2-14-debuginfo Operating systems & Components / Operating system package or component libnghttp2-14-32bit Operating systems & Components / Operating system package or component libnghttp2-14 Operating systems & Components / Operating system package or component |
Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
EUVDB-ID: #VU30377
Risk: Low
CVSSv4.0: 1.1 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2016-1544
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to perform service disruption.
nghttp2 before 1.7.1 allows remote attackers to cause a denial of service (memory exhaustion).
MitigationUpdate the affected package nghttp2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON - 12-SP5
SUSE Linux Enterprise Server for SAP: 12-SP2 - 12-SP4
SUSE OpenStack Cloud Crowbar: 8 - 9
HPE Helion Openstack: 8
SUSE OpenStack Cloud: 7 - 9
nghttp2-debugsource: before 1.39.2-3.5.1
nghttp2-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-debuginfo-32bit: before 1.39.2-3.5.1
libnghttp2-14-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-32bit: before 1.39.2-3.5.1
libnghttp2-14: before 1.39.2-3.5.1
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20210932-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU11858
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-1000168
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists due to improper bounds checking. If an alternative services (ALTSVC) frame is too large, the pointer field that points to the ALTSVC frame payload is left NULL. A remote attacker can submit a large ALTSVC frame, trigger a NULL pointer dereference and cause the service to crash.
MitigationUpdate the affected package nghttp2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON - 12-SP5
SUSE Linux Enterprise Server for SAP: 12-SP2 - 12-SP4
SUSE OpenStack Cloud Crowbar: 8 - 9
HPE Helion Openstack: 8
SUSE OpenStack Cloud: 7 - 9
nghttp2-debugsource: before 1.39.2-3.5.1
nghttp2-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-debuginfo-32bit: before 1.39.2-3.5.1
libnghttp2-14-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-32bit: before 1.39.2-3.5.1
libnghttp2-14: before 1.39.2-3.5.1
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20210932-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU20196
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-9511
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when processing HTTP/2 requests. A remote attacker can send a specially crafted HTTP/2 request the affected server, consume all available CPU resources and perform a denial of service (DoS) attack.
Successful exploitation of the vulnerability requires that support for HTTP/2 is enabled.
Update the affected package nghttp2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON - 12-SP5
SUSE Linux Enterprise Server for SAP: 12-SP2 - 12-SP4
SUSE OpenStack Cloud Crowbar: 8 - 9
HPE Helion Openstack: 8
SUSE OpenStack Cloud: 7 - 9
nghttp2-debugsource: before 1.39.2-3.5.1
nghttp2-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-debuginfo-32bit: before 1.39.2-3.5.1
libnghttp2-14-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-32bit: before 1.39.2-3.5.1
libnghttp2-14: before 1.39.2-3.5.1
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20210932-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU20197
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-9513
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when processing HTTP/2 requests. A remote attacker can send a specially crafted HTTP/2 request the affected server, consume all available CPU resources and perform a denial of service (DoS) attack.
Successful exploitation of the vulnerability requires that support for HTTP/2 is enabled.
Update the affected package nghttp2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON - 12-SP5
SUSE Linux Enterprise Server for SAP: 12-SP2 - 12-SP4
SUSE OpenStack Cloud Crowbar: 8 - 9
HPE Helion Openstack: 8
SUSE OpenStack Cloud: 7 - 9
nghttp2-debugsource: before 1.39.2-3.5.1
nghttp2-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-debuginfo-32bit: before 1.39.2-3.5.1
libnghttp2-14-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-32bit: before 1.39.2-3.5.1
libnghttp2-14: before 1.39.2-3.5.1
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20210932-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU28538
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-11080
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing HTTP/2 SETTINGS frames. A remote attacker can trigger high CPU load by sending large HTTP/2 SETTINGS frames and perform a denial of service (DoS) attack.
MitigationUpdate the affected package nghttp2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP2-LTSS-ERICSSON - 12-SP5
SUSE Linux Enterprise Server for SAP: 12-SP2 - 12-SP4
SUSE OpenStack Cloud Crowbar: 8 - 9
HPE Helion Openstack: 8
SUSE OpenStack Cloud: 7 - 9
nghttp2-debugsource: before 1.39.2-3.5.1
nghttp2-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-debuginfo-32bit: before 1.39.2-3.5.1
libnghttp2-14-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-32bit: before 1.39.2-3.5.1
libnghttp2-14: before 1.39.2-3.5.1
CPE2.3http://www.suse.com/support/update/announcement/2021/suse-su-20210932-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.