CVE-2019-9512

Published: 13 August 2019

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

From the Ubuntu security team

It was discovered that Netty incorrectly implements HTTP/2. An attacker could possibly use this issue to cause a denial of service.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
golang
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

golang-1.10
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needed)
Ubuntu 14.04 ESM (Trusty Tahr) Needs triage

golang-1.11
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2
golang-1.12
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/golang/go/commit/7139b45d1410ded14e1e131151fd8dfc435ede6c
golang-1.6
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Needs triage

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

golang-1.7
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

golang-1.8
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

golang-1.9
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Does not exist

Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

h2o
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(2.2.5+dfsg2-3)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(2.2.5+dfsg2-3)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(2.2.5+dfsg2-3)
Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

netty
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needed

Ubuntu 20.10 (Groovy Gorilla) Needed

Ubuntu 20.04 LTS (Focal Fossa) Needed

Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(http2 support not implemented)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(http2 support not implemented)
nginx
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(fixed for CVE-2018-16844)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(fixed for CVE-2018-16844)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(fixed for CVE-2018-16844)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(fixed for CVE-2018-16844)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(fixed for CVE-2018-16844)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(http2 support not implemented)
trafficserver
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(8.0.5+ds-1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(8.0.5+ds-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(8.0.5+ds-1)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(end of standard support, was needs-triage)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

twisted
Launchpad, Ubuntu, Debian
Upstream
Released (19.10.0)
Ubuntu 21.04 (Hirsute Hippo)
Released (18.9.0-6ubuntu1)
Ubuntu 20.10 (Groovy Gorilla)
Released (18.9.0-6ubuntu1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (18.9.0-6ubuntu1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (17.9.0-2ubuntu0.1)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(http2 support not implemented)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(http2 support not implemented)
Patches:
Upstream: https://github.com/twisted/twisted/commit/1595d9adc21c580065d1d6036c9611c411990816

Notes

AuthorNote
sbeattie
nginx added http2 support in 1.9.5
nginx previously fixed issue for CVE-2018-16844
netty added http2 support in 4.1.0
nghttp2: nghttpd and nghttp are affected, libnghttp2 is not
twisted added http2 support in 16.3
trafficserver enabled http2 support by default in 7.0
mdeslaur
Packages built using golang need to be rebuilt once the
vulnerability has been fixed. This CVE entry does not
list packages that need rebuilding outside of the main
repository or the Ubuntu variants with PPA overlays.

References

Bugs