SUSE update for nghttp2
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Resource exhaustion
EUVDB-ID: #VU30377
Risk: Low
CVSSv3.1: 2.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2016-1544
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a local authenticated user to perform service disruption.
nghttp2 before 1.7.1 allows remote attackers to cause a denial of service (memory exhaustion).
MitigationUpdate the affected package nghttp2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP2-BCL - 12-SP5
SUSE Linux Enterprise Server for SAP: 12-SP2 - 12-SP4
SUSE OpenStack Cloud Crowbar: 8 - 9
HPE Helion Openstack: 8
SUSE OpenStack Cloud: 7 - 9
nghttp2-debugsource: before 1.39.2-3.5.1
nghttp2-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-debuginfo-32bit: before 1.39.2-3.5.1
libnghttp2-14-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-32bit: before 1.39.2-3.5.1
libnghttp2-14: before 1.39.2-3.5.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20210932-1/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) NULL pointer dereference
EUVDB-ID: #VU11858
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-1000168
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists due to improper bounds checking. If an alternative services (ALTSVC) frame is too large, the pointer field that points to the ALTSVC frame payload is left NULL. A remote attacker can submit a large ALTSVC frame, trigger a NULL pointer dereference and cause the service to crash.
MitigationUpdate the affected package nghttp2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP2-BCL - 12-SP5
SUSE Linux Enterprise Server for SAP: 12-SP2 - 12-SP4
SUSE OpenStack Cloud Crowbar: 8 - 9
HPE Helion Openstack: 8
SUSE OpenStack Cloud: 7 - 9
nghttp2-debugsource: before 1.39.2-3.5.1
nghttp2-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-debuginfo-32bit: before 1.39.2-3.5.1
libnghttp2-14-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-32bit: before 1.39.2-3.5.1
libnghttp2-14: before 1.39.2-3.5.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20210932-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource exhaustion
EUVDB-ID: #VU20196
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-9511
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when processing HTTP/2 requests. A remote attacker can send a specially crafted HTTP/2 request the affected server, consume all available CPU resources and perform a denial of service (DoS) attack.
Successful exploitation of the vulnerability requires that support for HTTP/2 is enabled.
Update the affected package nghttp2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP2-BCL - 12-SP5
SUSE Linux Enterprise Server for SAP: 12-SP2 - 12-SP4
SUSE OpenStack Cloud Crowbar: 8 - 9
HPE Helion Openstack: 8
SUSE OpenStack Cloud: 7 - 9
nghttp2-debugsource: before 1.39.2-3.5.1
nghttp2-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-debuginfo-32bit: before 1.39.2-3.5.1
libnghttp2-14-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-32bit: before 1.39.2-3.5.1
libnghttp2-14: before 1.39.2-3.5.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20210932-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Resource exhaustion
EUVDB-ID: #VU20197
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-9513
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation when processing HTTP/2 requests. A remote attacker can send a specially crafted HTTP/2 request the affected server, consume all available CPU resources and perform a denial of service (DoS) attack.
Successful exploitation of the vulnerability requires that support for HTTP/2 is enabled.
Update the affected package nghttp2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP2-BCL - 12-SP5
SUSE Linux Enterprise Server for SAP: 12-SP2 - 12-SP4
SUSE OpenStack Cloud Crowbar: 8 - 9
HPE Helion Openstack: 8
SUSE OpenStack Cloud: 7 - 9
nghttp2-debugsource: before 1.39.2-3.5.1
nghttp2-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-debuginfo-32bit: before 1.39.2-3.5.1
libnghttp2-14-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-32bit: before 1.39.2-3.5.1
libnghttp2-14: before 1.39.2-3.5.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20210932-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Resource exhaustion
EUVDB-ID: #VU28538
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11080
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing HTTP/2 SETTINGS frames. A remote attacker can trigger high CPU load by sending large HTTP/2 SETTINGS frames and perform a denial of service (DoS) attack.
MitigationUpdate the affected package nghttp2 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server: 12-SP2-BCL - 12-SP5
SUSE Linux Enterprise Server for SAP: 12-SP2 - 12-SP4
SUSE OpenStack Cloud Crowbar: 8 - 9
HPE Helion Openstack: 8
SUSE OpenStack Cloud: 7 - 9
nghttp2-debugsource: before 1.39.2-3.5.1
nghttp2-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-debuginfo-32bit: before 1.39.2-3.5.1
libnghttp2-14-debuginfo: before 1.39.2-3.5.1
libnghttp2-14-32bit: before 1.39.2-3.5.1
libnghttp2-14: before 1.39.2-3.5.1
External linkshttp://www.suse.com/support/update/announcement/2021/suse-su-20210932-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
