Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2019-9511

Published: 13 August 2019

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Notes

AuthorNote
sbeattie
nginx added http2 support in 1.9.5
nghttp2: nghttpd and nghttp are affected, libnghttp2 is not
mdeslaur
nghttp2-server is in universe
sahnaseredini
nodejs patch is a version upgrade

Priority

Medium

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
nghttp2
Launchpad, Ubuntu, Debian
bionic Needed

cosmic Ignored
(end of life)
disco Ignored
(end of life)
eoan Not vulnerable
(1.39.2-1)
focal Not vulnerable
(1.39.2-1)
trusty Does not exist

upstream
Released (1.39.2)
impish Not vulnerable
(1.39.2-1)
groovy Not vulnerable
(1.39.2-1)
hirsute Not vulnerable
(1.39.2-1)
xenial Needed

jammy Not vulnerable
(1.39.2-1)
kinetic Not vulnerable
(1.39.2-1)
lunar Not vulnerable
(1.39.2-1)
mantic Not vulnerable
(1.39.2-1)
Binaries built from this source package are in Universe and so are supported by the community.
nginx
Launchpad, Ubuntu, Debian
bionic
Released (1.14.0-0ubuntu1.4)
cosmic Ignored
(end of life)
disco
Released (1.15.9-0ubuntu1.1)
eoan
Released (1.16.1-0ubuntu1)
impish
Released (1.16.1-0ubuntu1)
groovy
Released (1.16.1-0ubuntu1)
hirsute
Released (1.16.1-0ubuntu1)
jammy
Released (1.16.1-0ubuntu1)
kinetic
Released (1.16.1-0ubuntu1)
lunar
Released (1.16.1-0ubuntu1)
focal
Released (1.16.1-0ubuntu1)
trusty Not vulnerable
(http2 support not implemented)
upstream Needs triage

xenial
Released (1.10.3-0ubuntu0.16.04.4)
mantic
Released (1.16.1-0ubuntu1)
Patches:
upstream: https://github.com/nginx/nginx/commit/94c5eb142e58a86f81eb1369fa6fcb96c2f23d6b
nodejs
Launchpad, Ubuntu, Debian
kinetic Ignored
(end of life, was needs-triage)
groovy Ignored
(end of life)
upstream Needs triage

bionic Ignored
(changes too intrusive)
focal Not vulnerable
(10.19.0~dfsg-3ubuntu1)
trusty Ignored
(changes too intrusive)
xenial Ignored
(changes too intrusive)
hirsute Ignored
(end of life)
jammy Not vulnerable
(12.22.9~dfsg-1ubuntu3)
impish Ignored
(end of life)
lunar Not vulnerable
(18.13.0+dfsg1-1ubuntu2)
mantic Not vulnerable
(18.13.0+dfsg1-1ubuntu2)

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H