CVE-2019-9512 (High) detected in multiple libraries - autoclosed

[mend-for-github-com]

CVE-2019-9512 - High Severity Vulnerability

Vulnerable Libraries - netty-codec-http2-4.1.32.Final.jar, netty-codec-http2-4.1.12.Final.jar, netty-codec-http2-4.1.15.Final.jar, netty-codec-http2-4.1.8.Final.jar, netty-codec-http2-4.1.29.Final.jar

netty-codec-http2-4.1.32.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /dd-java-agent/instrumentation/aws-java-sdk-2.2/aws-java-sdk-2.2.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.32.Final/d14eb053a1f96d3330ec48e77d489118d547557a/netty-codec-http2-4.1.32.Final.jar

Dependency Hierarchy:

• kinesis-2.2.0.jar (Root Library)
  • netty-nio-client-2.2.0.jar
    • ❌ netty-codec-http2-4.1.32.Final.jar (Vulnerable Library)

netty-codec-http2-4.1.12.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /dd-java-agent/instrumentation/grpc-1.5/grpc-1.5.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.12.Final/5373bd1a7b61f4620a3c421ee999f6142d8aa06d/netty-codec-http2-4.1.12.Final.jar

Dependency Hierarchy:

• grpc-netty-1.5.0.jar (Root Library)
  • ❌ netty-codec-http2-4.1.12.Final.jar (Vulnerable Library)

netty-codec-http2-4.1.15.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /dd-java-agent/instrumentation/vertx-rx-3.5/vertx-rx-3.5.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.15.Final/4fd3b955b53ee80ef8d872dcdb53aea9f8f47a77/netty-codec-http2-4.1.15.Final.jar

Dependency Hierarchy:

• vertx-rx-java2-3.5.0.jar (Root Library)
  • vertx-core-3.5.0.jar
    • ❌ netty-codec-http2-4.1.15.Final.jar (Vulnerable Library)

netty-codec-http2-4.1.8.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /dd-java-agent/instrumentation/finatra-2.9/finatra-2.9.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.8.Final/105a99ee5767463370ccc3d2e16800bd99f5648e/netty-codec-http2-4.1.8.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.8.Final/105a99ee5767463370ccc3d2e16800bd99f5648e/netty-codec-http2-4.1.8.Final.jar

Dependency Hierarchy:

• vertx-web-3.4.0.jar (Root Library)
  • vertx-core-3.4.0.jar
    • ❌ netty-codec-http2-4.1.8.Final.jar (Vulnerable Library)

netty-codec-http2-4.1.29.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /dd-java-agent/instrumentation/netty-4.1/netty-4.1.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.29.Final/e573656f141a54f808ba482213a3abca2f2c6e6d/netty-codec-http2-4.1.29.Final.jar

Dependency Hierarchy:

• reactor-netty-0.8.0.RELEASE.jar (Root Library)
  • ❌ netty-codec-http2-4.1.29.Final.jar (Vulnerable Library)

Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079

Found in base branch: master

Vulnerability Details

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Publish Date: 2019-08-13

URL: CVE-2019-9512

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512

Release Date: 2019-08-13

Fix Resolution (io.netty:netty-codec-http2): 4.1.39.Final

Direct dependency fix Resolution (software.amazon.awssdk:kinesis): 2.8.0

Fix Resolution (io.netty:netty-codec-http2): 4.1.39.Final

Direct dependency fix Resolution (io.grpc:grpc-netty): 1.23.1

Fix Resolution (io.netty:netty-codec-http2): 4.1.39.Final

Direct dependency fix Resolution (io.vertx:vertx-rx-java2): 3.5.4

Fix Resolution (io.netty:netty-codec-http2): 4.1.39.Final

Direct dependency fix Resolution (io.vertx:vertx-web): 3.5.0

Fix Resolution (io.netty:netty-codec-http2): 4.1.39.Final

Direct dependency fix Resolution (io.projectreactor.netty:reactor-netty): 0.8.11.RELEASE

---

⛑️ Automatic Remediation is available for this issue

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.