CVE-2019-9515
Published: 13 August 2019
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
From the Ubuntu Security Team
It was discovered that Netty incorrectly implements HTTP/2. An attacker could possibly use this issue to cause a denial of service.
Notes
| Author | Note |
|---|---|
| sbeattie | nginx added http2 support in 1.9.5 nginx previously fixed issue for CVE-2018-16844 netty added http2 support in 4.1.0 twisted added http2 support in 16.3 trafficserver enabled http2 support by default in 7.0 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
golang-google-grpc Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| cosmic |
Ignored
(reached end-of-life)
|
|
| disco |
Ignored
(reached end-of-life)
|
|
| eoan |
Ignored
(reached end-of-life)
|
|
| focal |
Needed
|
|
| groovy |
Ignored
(reached end-of-life)
|
|
| hirsute |
Ignored
(reached end-of-life)
|
|
| impish |
Ignored
(reached end-of-life)
|
|
| jammy |
Needed
|
|
| kinetic |
Needed
|
|
| lunar |
Needed
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Needed
|
|
|
grpc Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| cosmic |
Ignored
(reached end-of-life)
|
|
| disco |
Ignored
(reached end-of-life)
|
|
| eoan |
Ignored
(reached end-of-life)
|
|
| focal |
Needed
|
|
| groovy |
Ignored
(reached end-of-life)
|
|
| hirsute |
Ignored
(reached end-of-life)
|
|
| impish |
Ignored
(reached end-of-life)
|
|
| jammy |
Needed
|
|
| kinetic |
Needed
|
|
| lunar |
Needed
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Needed
|
|
|
h2o Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| disco |
Released
(2.2.5+dfsg2-2+deb10u1build0.19.04.1)
|
|
| eoan |
Not vulnerable
(2.2.5+dfsg2-3)
|
|
| focal |
Not vulnerable
(2.2.5+dfsg2-3)
|
|
| groovy |
Not vulnerable
(2.2.5+dfsg2-3)
|
|
| hirsute |
Not vulnerable
(2.2.5+dfsg2-3)
|
|
| impish |
Not vulnerable
(2.2.5+dfsg2-3)
|
|
| jammy |
Not vulnerable
(2.2.5+dfsg2-3)
|
|
| kinetic |
Not vulnerable
(2.2.5+dfsg2-3)
|
|
| lunar |
Not vulnerable
(2.2.5+dfsg2-3)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(2.2.5+dfsg2-3)
|
|
| xenial |
Does not exist
|
|
|
netty Launchpad, Ubuntu, Debian |
bionic |
Released
(1:4.1.7-4ubuntu0.1+esm1)
|
| cosmic |
Ignored
(reached end-of-life)
|
|
| disco |
Ignored
(reached end-of-life)
|
|
| eoan |
Ignored
(reached end-of-life)
|
|
| focal |
Needed
|
|
| groovy |
Ignored
(reached end-of-life)
|
|
| hirsute |
Ignored
(reached end-of-life)
|
|
| impish |
Ignored
(reached end-of-life)
|
|
| jammy |
Needed
|
|
| kinetic |
Needed
|
|
| lunar |
Needed
|
|
| trusty |
Not vulnerable
(http2 support not implemented)
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
(http2 support not implemented)
|
|
|
nginx Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(fixed for CVE-2018-16844)
|
| cosmic |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
| disco |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
| eoan |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
| focal |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
| groovy |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
| hirsute |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
| impish |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
| jammy |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
| kinetic |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
| lunar |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
| trusty |
Not vulnerable
(http2 support not implemented)
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
|
trafficserver Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| cosmic |
Ignored
(reached end-of-life)
|
|
| disco |
Ignored
(reached end-of-life)
|
|
| eoan |
Not vulnerable
(8.0.5+ds-1)
|
|
| focal |
Not vulnerable
(8.0.5+ds-1)
|
|
| groovy |
Not vulnerable
(8.0.5+ds-1)
|
|
| hirsute |
Not vulnerable
(8.0.5+ds-1)
|
|
| impish |
Not vulnerable
(8.0.5+ds-1)
|
|
| jammy |
Not vulnerable
(8.0.5+ds-1)
|
|
| kinetic |
Not vulnerable
(8.0.5+ds-1)
|
|
| lunar |
Not vulnerable
(8.0.5+ds-1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Needs triage
|
|
|
twisted Launchpad, Ubuntu, Debian |
bionic |
Released
(17.9.0-2ubuntu0.1)
|
| cosmic |
Ignored
(reached end-of-life)
|
|
| disco |
Ignored
(reached end-of-life)
|
|
| eoan |
Released
(18.9.0-3ubuntu1.1)
|
|
| focal |
Released
(18.9.0-6ubuntu1)
|
|
| groovy |
Released
(18.9.0-6ubuntu1)
|
|
| hirsute |
Released
(18.9.0-6ubuntu1)
|
|
| impish |
Released
(18.9.0-6ubuntu1)
|
|
| jammy |
Released
(18.9.0-6ubuntu1)
|
|
| kinetic |
Released
(18.9.0-6ubuntu1)
|
|
| lunar |
Released
(18.9.0-6ubuntu1)
|
|
| trusty |
Not vulnerable
(http2 support not implemented)
|
|
| upstream |
Released
(19.10.0)
|
|
| xenial |
Not vulnerable
(http2 support not implemented)
|
|
|
Patches: upstream: https://github.com/twisted/twisted/commit/1595d9adc21c580065d1d6036c9611c411990816 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515
- https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
- https://netty.io/news/2019/08/13/4-1-39-Final.html
- http://blog.kazuhooku.com/2019/08/h2o-version-226-230-beta2-released.html
- https://github.com/netty/netty/pull/9460
- https://labs.twistedmatrix.com/2019/11/twisted-19100-released.html
- https://ubuntu.com/security/notices/USN-4308-1
- https://ubuntu.com/security/notices/USN-4866-1
- NVD
- Launchpad
- Debian