The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2019:2799 advisory.

  - HTTP/2: large amount of data requests leads to denial of service (CVE-2019-9511)

  - HTTP/2: flood using PRIORITY frames results in excessive resource consumption (CVE-2019-9513)

  - HTTP/2: 0-length headers lead to denial of service (CVE-2019-9516)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Update to Node.js 10.6.13

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security fix for CVE-2019-9511, CVE-2019-9513, CVE-2019-9516

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for nodejs10 to version 10.16.3 fixes the following issues :

Security issues fixed :

  - CVE-2019-9511: Fixed HTTP/2 implementations that are     vulnerable to window size manipulation and stream     prioritization manipulation, potentially leading to a     denial of service (bsc#1146091).

  - CVE-2019-9512: Fixed HTTP/2 flood using PING frames     results in unbounded memory growth (bsc#1146099).

  - CVE-2019-9513: Fixed HTTP/2 implementation that is     vulnerable to resource loops, potentially leading to a     denial of service. (bsc#1146094).

  - CVE-2019-9514: Fixed HTTP/2 implementation that is     vulnerable to a reset flood, potentially leading to a     denial of service (bsc#1146095).

  - CVE-2019-9515: Fixed HTTP/2 flood using SETTINGS frames     results in unbounded memory growth (bsc#1146100).

  - CVE-2019-9516: Fixed HTTP/2 implementation that is     vulnerable to a header leak, potentially leading to a     denial of service (bsc#1146090).

  - CVE-2019-9517: Fixed HTTP/2 implementations that are     vulnerable to unconstrained interal data buffering     (bsc#1146097).

  - CVE-2019-9518: Fixed HTTP/2 implementation that is     vulnerable to a flood of empty frames, potentially     leading to a denial of service (bsc#1146093).

This update was imported from the SUSE:SLE-15:Update update project.

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. (CVE-2019-9511)

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree.
This can consume excess CPU. (CVE-2019-9513)

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory. (CVE-2019-9516)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2022:0017 advisory.

    Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

    CVE-2019-0190:
    A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully     crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be     only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an     interaction in changes to handling of renegotiation attempts.

    CVE-2019-0196:
    A vulnerability was found in Apache HTTP Server 2.4.17 to 2.4.38. Using fuzzed network input, the http/2     request handling could be made to access freed memory in string comparison when determining the method of     a request and thus process the request incorrectly.

    CVE-2019-0197:
    A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host     or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not     the first request on a connection could lead to a misconfiguration and crash. Server that never enabled     the h2 protocol or that only enabled it for https: and did not set H2Upgrade on are unaffected by this     issue.

    CVE-2019-0211:
    In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in     less-privileged child processes or threads (including scripts executed by an in-process scripting     interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by     manipulating the scoreboard. Non-Unix systems are not affected.

    CVE-2019-0215:
    In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client     certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.

    CVE-2019-0217:
    In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a     threaded server could allow a user with valid credentials to authenticate using another username,     bypassing configured access control restrictions.

    CVE-2019-0220:
    A vulnerability was found in Apache HTTP Server 2.4.0 to 2.4.38. When the path component of a request URL     contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account     for duplicates in regular expressions while other aspects of the servers processing will implicitly     collapse them.

    CVE-2019-10082:
    In Apache HTTP Server 2.4.18-2.4.39, using fuzzed network input, the http/2 session handling could be made     to read memory after being freed, during connection shutdown.

    CVE-2019-10092:
    In Apache HTTP Server 2.4.0-2.4.39, a limited cross-site scripting issue was reported affecting the     mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point     to a page of their choice. This would only be exploitable where a server was set up with proxying enabled     but was misconfigured in such a way that the Proxy Error page was displayed.

    CVE-2019-10097:
    In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy     server using the PROXY protocol, a specially crafted PROXY header could trigger a stack buffer overflow     or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by     untrusted HTTP clients.

    CVE-2019-10098:
    In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be     self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the     request URL.

    CVE-2019-9511:
    Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization     manipulation, potentially leading to a denial of service. The attacker requests a large amount of data     from a specified resource over multiple streams. They manipulate window size and stream priority to force     the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can     consume excess CPU, memory, or both.

    CVE-2019-9516:
    Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service.
    The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally     Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and     keep the allocation alive until the session dies. This can consume excess memory.

    CVE-2019-9517:
    Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to     a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint;
    however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the     wire. The attacker then sends a stream of requests for a large response object. Depending on how the     servers queue the responses, this can consume excess memory, CPU, or both.

    CVE-2020-11984:
    Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE

    CVE-2020-11993:
    Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on     certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent     use of memory pools. Configuring the LogLevel of mod_http2 above info will mitigate this vulnerability     for unpatched servers.

    CVE-2020-1927:
    In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be     self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within     the request URL.

    CVE-2020-1934:
    In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a     malicious FTP server.

    CVE-2020-9490:
    Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a     HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource     afterwards. Configuring the HTTP/2 feature via H2Push off will mitigate this vulnerability for unpatched     servers.

    CVE-2021-26690:
    Apache HTTP Server versions 2.4.0 to 2.4.46 A specially crafted Cookie header handled by mod_session can     cause a NULL pointer dereference and crash, leading to a possible Denial Of Service

    CVE-2021-30641:
    Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'

    CVE-2021-34798:
    Malformed requests may cause the server to dereference a NULL pointer. This issue affects Apache HTTP     Server 2.4.48 and earlier.

    CVE-2021-39275:
    ap_escape_quotes() may write beyond the end of a buffer when given malicious input. No included modules     pass untrusted data to these functions, but third-party / external modules may. This issue affects Apache     HTTP Server 2.4.48 and earlier.

    CVE-2021-44790:
    A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser     (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the     vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and     earlier.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the nginx package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Some HTTP/2 implementations are vulnerable to window     size manipulation and stream prioritization     manipulation, potentially leading to a denial of     service. The attacker requests a large amount of data     from a specified resource over multiple streams. They     manipulate window size and stream priority to force the     server to queue the data in 1-byte chunks. Depending on     how efficiently this data is queued, this can consume     excess CPU, memory, or both.(CVE-2019-9511)

  - Some HTTP/2 implementations are vulnerable to resource     loops, potentially leading to a denial of service. The     attacker creates multiple request streams and     continually shuffles the priority of the streams in a     way that causes substantial churn to the priority tree.
    This can consume excess CPU.(CVE-2019-9513)

  - Some HTTP/2 implementations are vulnerable to a header     leak, potentially leading to a denial of service. The     attacker sends a stream of headers with a 0-length     header name and 0-length header value, optionally     Huffman encoded into 1-byte or greater headers. Some     implementations allocate memory for these headers and     keep the allocation alive until the session dies. This     can consume excess memory.(CVE-2019-9516)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Published	Updated	Severity
145622	CentOS 8 : nginx:1.14 (CESA-2019:2799)	Nessus	CentOS Local Security Checks	1/29/2021	1/25/2024	high
128131	Fedora 30 : 1:nodejs (2019-5a6a7bc12c) (0-Length Headers Leak) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)	Nessus	Fedora Local Security Checks	8/26/2019	5/1/2024	high
128482	Fedora 29 : 1:nginx (2019-7a0b45fdc4) (0-Length Headers Leak) (Data Dribble) (Resource Loop)	Nessus	Fedora Local Security Checks	9/4/2019	4/29/2024	high
128668	openSUSE Security Update : nodejs10 (openSUSE-2019-2114) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)	Nessus	SuSE Local Security Checks	9/11/2019	4/26/2024	high
129569	Amazon Linux AMI : nginx (ALAS-2019-1299) (0-Length Headers Leak) (Data Dribble) (Resource Loop)	Nessus	Amazon Linux Local Security Checks	10/4/2019	4/19/2024	high
239371	TencentOS Server 3: httpd:2.4 (TSSA-2022:0017)	Nessus	Tencent Local Security Checks	6/16/2025	12/4/2025	critical
142242	EulerOS 2.0 SP2 : nginx (EulerOS-SA-2020-2372)	Nessus	Huawei Local Security Checks	11/3/2020	2/12/2024	high

Detections

Analytics

Plugins Search

high

high

high

high

high

critical

high