CVE-2019-9512
Publication date 13 August 2019
Last updated 24 July 2024
Ubuntu priority
Cvss 3 Severity Score
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
From the Ubuntu Security Team
It was discovered that Netty incorrectly implements HTTP/2. An attacker could possibly use this issue to cause a denial of service.
Status
Package | Ubuntu Release | Status |
---|---|---|
golang | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release | |
golang-1.10 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic |
Vulnerable
|
|
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty | Ignored end of ESM support, was needs-triage | |
golang-1.11 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release | |
golang-1.12 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release | |
golang-1.6 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty | Not in release | |
golang-1.7 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic | Not in release | |
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release | |
golang-1.8 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic |
Vulnerable
|
|
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release | |
golang-1.9 | 24.10 oracular | Not in release |
24.04 LTS noble | Not in release | |
22.04 LTS jammy | Not in release | |
20.04 LTS focal | Not in release | |
18.04 LTS bionic |
Vulnerable
|
|
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release | |
h2o | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Needs evaluation
|
|
16.04 LTS xenial | Not in release | |
14.04 LTS trusty | Not in release | |
netty | 24.10 oracular |
Vulnerable
|
24.04 LTS noble |
Vulnerable
|
|
22.04 LTS jammy |
Vulnerable
|
|
20.04 LTS focal |
Vulnerable
|
|
18.04 LTS bionic |
Fixed 1:4.1.7-4ubuntu0.1+esm1
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty |
Not affected
|
|
nginx | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Not affected
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty |
Not affected
|
|
trafficserver | 24.10 oracular |
Not affected
|
24.04 LTS noble |
Not affected
|
|
22.04 LTS jammy |
Not affected
|
|
20.04 LTS focal |
Not affected
|
|
18.04 LTS bionic |
Vulnerable
|
|
16.04 LTS xenial |
Needs evaluation
|
|
14.04 LTS trusty | Not in release | |
twisted | 24.10 oracular |
Fixed 18.9.0-6ubuntu1
|
24.04 LTS noble |
Fixed 18.9.0-6ubuntu1
|
|
22.04 LTS jammy |
Fixed 18.9.0-6ubuntu1
|
|
20.04 LTS focal |
Fixed 18.9.0-6ubuntu1
|
|
18.04 LTS bionic |
Fixed 17.9.0-2ubuntu0.1
|
|
16.04 LTS xenial |
Not affected
|
|
14.04 LTS trusty |
Not affected
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu ProNotes
sbeattie
nginx added http2 support in 1.9.5 nginx previously fixed issue for CVE-2018-16844 netty added http2 support in 4.1.0 nghttp2: nghttpd and nghttp are affected, libnghttp2 is not twisted added http2 support in 16.3 trafficserver enabled http2 support by default in 7.0
mdeslaur
Packages built using golang need to be rebuilt once the vulnerability has been fixed. This CVE entry does not list packages that need rebuilding outside of the main repository or the Ubuntu variants with PPA overlays.
Patch details
Package | Patch details |
---|---|
golang-1.11 |
|
golang-1.12 |
|
twisted |
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 · High |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-4308-1
- Twisted vulnerabilities
- 19 March 2020
- USN-4866-1
- Netty vulnerabilities
- 29 June 2021
Other references
- https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
- https://netty.io/news/2019/08/13/4-1-39-Final.html
- http://blog.kazuhooku.com/2019/08/h2o-version-226-230-beta2-released.html
- https://github.com/netty/netty/pull/9460
- https://labs.twistedmatrix.com/2019/11/twisted-19100-released.html
- https://www.cve.org/CVERecord?id=CVE-2019-9512