CVE-2022-0618: 
Swift vulnerability analysis and mitigation

A program using swift-nio-http2 is vulnerable to a denial of service attack, caused by a network peer sending a specially crafted HTTP/2 frame. The vulnerability (CVE-2022-0618) affects all swift-nio-http2 versions from 1.0.0 to 1.19.2 and was discovered through automated fuzzing by oss-fuzz. The issue was fixed in version 1.20.0 (Swift Advisory).

The vulnerability stems from a logical error in parsing HTTP/2 HEADERS or HTTP/2 PUSH_PROMISE frames containing padding information without any other data. This parsing error leads to confusion about the frame size, resulting in immediate process crashes. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with low attack complexity and no required privileges or user interaction (NVD).

The impact on availability is severe as receiving the malicious frame immediately crashes the server, dropping all in-flight connections and requiring service restart. While the vulnerability doesn't directly pose confidentiality or integrity risks due to memory-safe code execution, sudden process crashes could potentially lead to violations of service invariants that might have secondary confidentiality or integrity implications (Swift Advisory).

The vulnerability has been fixed by rewriting the parsing code to correctly handle the condition in version 1.20.0. While the risk can be mitigated by preventing untrusted peers from communicating with the service, this mitigation strategy is not available to many services. Organizations are advised to upgrade to version 1.20.0 or later (Swift Advisory).