Published: 2020-07-24
Security Advisory
This security advisory describes one medium risk vulnerability.
1) Resource management error
Severity: Medium
CVSSv3: 6.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C] [PCI]
CVE-ID: CVE-2020-11996
CWE-ID: CWE-399 - Resource Management Errors
Exploit availability: No
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources with the application when processing HTTP/2 requests. A remote attacker can send specially crafted sequence of HTTP/2 requests to the affected server and trigger high CPU load for several seconds. A large number of such requests causes denial of service.
Mitigation
Update the affected packages.
Vulnerable software versions
Opensuse: 15.1
CPE
External links
https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00064.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
Support the originator by clicking the read the rest link below.