{ "threat_severity" : "Important", "public_date" : "2019-08-13T00:00:00Z", "bugzilla" : { "description" : "HTTP/2: 0-length headers lead to denial of service", "id" : "1741864", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1741864" }, "cvss3" : { "cvss3_base_score" : "6.5", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-400", "details" : [ "Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.", "A flaw was found in HTTP/2. An attacker, sending a stream of header with a 0-length header name and a 0-length header value, could cause some implementations to allocate memory for these headers and keep the allocations alive until the session dies. The can consume excess memory, potentially leading to a denial of service. The highest threat from this vulnerability is to system availability." ], "statement" : "This flaw has no available mitigation for nodejs package. It will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.", "affected_release" : [ { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-10-01T00:00:00Z", "advisory" : "RHSA-2019:2946", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-httpd-0:2.4.29-41.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-10-01T00:00:00Z", "advisory" : "RHSA-2019:2946", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-nghttp2-0:1.39.2-1.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-apr-0:1.6.3-63.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-curl-0:7.64.1-14.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-jansson-0:2.11-20.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-10-01T00:00:00Z", "advisory" : "RHSA-2019:2946", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-httpd-0:2.4.29-41.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-10-01T00:00:00Z", "advisory" : "RHSA-2019:2946", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-nghttp2-0:1.39.2-1.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-jansson-0:2.11-20.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7" }, { "product_name" : "Red Hat AMQ", "release_date" : "2020-03-23T00:00:00Z", "advisory" : "RHSA-2020:0922", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat AMQ 7.4.3", "release_date" : "2020-04-14T00:00:00Z", "advisory" : "RHSA-2020:1445", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2019-09-19T00:00:00Z", "advisory" : "RHSA-2019:2799", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nginx:1.14-8000020190830002848.f8e95b4e" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2019-09-30T00:00:00Z", "advisory" : "RHSA-2019:2925", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:10-8000020190911085529.f8e95b4e" }, { "product_name" : "Red Hat Fuse 7.6.0", "release_date" : "2020-03-26T00:00:00Z", "advisory" : "RHSA-2020:0983", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "undertow" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2019-10-03T00:00:00Z", "advisory" : "RHSA-2019:2966", "cpe" : "cpe:/a:redhat:quay:3::el7", "package" : "quay3/clair-jwt:v2.0.9-7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2019-09-13T00:00:00Z", "advisory" : "RHSA-2019:2745", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "rh-nginx110-nginx-1:1.10.2-9.el6.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2019-09-13T00:00:00Z", "advisory" : "RHSA-2019:2745", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nginx110-nginx-1:1.10.2-9.el7.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2019-09-13T00:00:00Z", "advisory" : "RHSA-2019:2746", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nginx112-nginx-1:1.12.1-3.el7.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2019-09-17T00:00:00Z", "advisory" : "RHSA-2019:2775", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nginx114-nginx-1:1.14.1-1.el7.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2019-10-01T00:00:00Z", "advisory" : "RHSA-2019:2939", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs10-0:3.2-3.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2019-10-01T00:00:00Z", "advisory" : "RHSA-2019:2939", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs10-nodejs-0:10.16.3-3.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2019-10-02T00:00:00Z", "advisory" : "RHSA-2019:2955", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs8-0:3.0-5.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2019-10-02T00:00:00Z", "advisory" : "RHSA-2019:2955", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs8-nodejs-0:8.16.1-2.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2019-09-13T00:00:00Z", "advisory" : "RHSA-2019:2745", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nginx110-nginx-1:1.10.2-9.el7.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2019-09-13T00:00:00Z", "advisory" : "RHSA-2019:2746", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nginx112-nginx-1:1.12.1-3.el7.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2019-09-17T00:00:00Z", "advisory" : "RHSA-2019:2775", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nginx114-nginx-1:1.14.1-1.el7.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2019-09-13T00:00:00Z", "advisory" : "RHSA-2019:2745", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nginx110-nginx-1:1.10.2-9.el7.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2019-09-13T00:00:00Z", "advisory" : "RHSA-2019:2746", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nginx112-nginx-1:1.12.1-3.el7.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2019-09-17T00:00:00Z", "advisory" : "RHSA-2019:2775", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nginx114-nginx-1:1.14.1-1.el7.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2019-10-01T00:00:00Z", "advisory" : "RHSA-2019:2939", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs10-0:3.2-3.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2019-10-01T00:00:00Z", "advisory" : "RHSA-2019:2939", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs10-nodejs-0:10.16.3-3.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2019-10-02T00:00:00Z", "advisory" : "RHSA-2019:2955", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs8-0:3.0-5.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2019-10-02T00:00:00Z", "advisory" : "RHSA-2019:2955", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs8-nodejs-0:8.16.1-2.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2019-09-13T00:00:00Z", "advisory" : "RHSA-2019:2745", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nginx110-nginx-1:1.10.2-9.el7.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2019-09-13T00:00:00Z", "advisory" : "RHSA-2019:2746", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nginx112-nginx-1:1.12.1-3.el7.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2019-09-17T00:00:00Z", "advisory" : "RHSA-2019:2775", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nginx114-nginx-1:1.14.1-1.el7.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2019-10-01T00:00:00Z", "advisory" : "RHSA-2019:2939", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs10-0:3.2-3.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2019-10-01T00:00:00Z", "advisory" : "RHSA-2019:2939", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs10-nodejs-0:10.16.3-3.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2019-10-02T00:00:00Z", "advisory" : "RHSA-2019:2955", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs8-0:3.0-5.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2019-10-02T00:00:00Z", "advisory" : "RHSA-2019:2955", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs8-nodejs-0:8.16.1-2.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2019-09-13T00:00:00Z", "advisory" : "RHSA-2019:2745", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nginx110-nginx-1:1.10.2-9.el7.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2019-09-13T00:00:00Z", "advisory" : "RHSA-2019:2746", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nginx112-nginx-1:1.12.1-3.el7.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2019-09-17T00:00:00Z", "advisory" : "RHSA-2019:2775", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nginx114-nginx-1:1.14.1-1.el7.1" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2019-10-01T00:00:00Z", "advisory" : "RHSA-2019:2939", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs10-0:3.2-3.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2019-10-01T00:00:00Z", "advisory" : "RHSA-2019:2939", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs10-nodejs-0:10.16.3-3.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2019-10-02T00:00:00Z", "advisory" : "RHSA-2019:2955", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs8-0:3.0-5.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2019-10-02T00:00:00Z", "advisory" : "RHSA-2019:2955", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs8-nodejs-0:8.16.1-2.el7" }, { "product_name" : "Text-Only JBCS", "release_date" : "2019-10-01T00:00:00Z", "advisory" : "RHSA-2019:2950", "cpe" : "cpe:/a:redhat:jboss_core_services:1", "package" : "mod_http2" }, { "product_name" : "Text-Only JBCS", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3935", "cpe" : "cpe:/a:redhat:jboss_core_services:1" } ], "package_state" : [ { "product_name" : "CloudForms Management Engine 5", "fix_state" : "Not affected", "package_name" : "nginx", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5" }, { "product_name" : "Red Hat 3scale API Management Platform 2", "fix_state" : "Affected", "package_name" : "nginx", "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2", "impact" : "moderate" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Affected", "package_name" : "jetty", "cpe" : "cpe:/a:redhat:amq_broker:7", "impact" : "moderate" }, { "product_name" : "Red Hat AMQ Broker 7", "fix_state" : "Not affected", "package_name" : "netty", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat Ansible Tower 3", "fix_state" : "Not affected", "package_name" : "nginx", "cpe" : "cpe:/a:redhat:ansible_tower:3" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "httpd:2.4/mod_http2", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "nghttp2", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "nginx:1.16/nginx", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "undertow-core", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 3", "fix_state" : "Out of support scope", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:jboss_fuse:6", "impact" : "moderate" }, { "product_name" : "Red Hat JBoss Web Server 5", "fix_state" : "Not affected", "package_name" : "nghttp2", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Out of support scope", "package_name" : "rhoar-nodejs", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Not affected", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat OpenShift Container Platform 3.10", "fix_state" : "Not affected", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.10" }, { "product_name" : "Red Hat OpenShift Container Platform 3.10", "fix_state" : "Not affected", "package_name" : "nodejs", "cpe" : "cpe:/a:redhat:openshift:3.10" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 3.9", "fix_state" : "Not affected", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.9" }, { "product_name" : "Red Hat OpenShift Container Platform 3.9", "fix_state" : "Not affected", "package_name" : "nodejs", "cpe" : "cpe:/a:redhat:openshift:3.9" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Not affected", "package_name" : "nodejs", "cpe" : "cpe:/a:redhat:quay:3" }, { "product_name" : "Red Hat Single Sign-On 7", "fix_state" : "Not affected", "package_name" : "undertow", "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "httpd24-httpd", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "httpd24-nghttp2", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-nginx116-nginx", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-9516\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-9516\nhttps://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md\nhttps://github.com/nghttp2/nghttp2/issues/1382#\nhttps://kb.cert.org/vuls/id/605641/\nhttps://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/\nhttps://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/" ], "name" : "CVE-2019-9516", "mitigation" : { "value" : "Red Hat Quay 3.0 uses Nginx 1.12 from Red Hat Software Collections. It will be updated once a fixed is released for Software Collections. In the meantime users of Quay can disable http/2 support in Nginx by following these instructions:\n1. Copy the Nginx configuration from the quay container to the host\n$ docker cp 3aadf1421ba3:/quay-registry/conf/nginx/ /mnt/quay/nginx\n2. Edit the Nginx configuration, removing http/2 support\n$ sed -i 's/http2 //g' /mnt/quay/nginx/nginx.conf\n3. Restart Nginx with the new configuration mounted into the container, eg:\n$ docker run --restart=always -p 443:8443 -p 80:8080 --sysctl net.core.somaxconn=4096 -v /mnt/quay/config:/conf/stack:Z -v /mnt/quay/storage:/datastorage -v /mnt/quay/nginx:/quay-registry/config/nginx:Z -d quay.io/redhat/quay:v3.0.3", "lang" : "en:us" }, "csaw" : false }