CVE-2019-9515

Published: 13 August 2019

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

From the Ubuntu Security Team

It was discovered that Netty incorrectly implements HTTP/2. An attacker could possibly use this issue to cause a denial of service.

Notes

Author	Note
sbeattie	nginx added http2 support in 1.9.5 nginx previously fixed issue for CVE-2018-16844 netty added http2 support in 4.1.0 twisted added http2 support in 16.3 trafficserver enabled http2 support by default in 7.0

Author

Note

sbeattie

nginx added http2 support in 1.9.5
nginx previously fixed issue for CVE-2018-16844
netty added http2 support in 4.1.0
twisted added http2 support in 16.3
trafficserver enabled http2 support by default in 7.0

Priority

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package	Release	Status
golang-google-grpc Launchpad, Ubuntu, Debian	bionic	Needed
	cosmic	Ignored (end of life)
	disco	Ignored (end of life)
	eoan	Ignored (end of life)
	focal	Needed
	trusty	Does not exist
	upstream	Needs triage
	kinetic	Ignored (end of life, was needed)
	hirsute	Ignored (end of life)
	groovy	Ignored (end of life)
	impish	Ignored (end of life)
	jammy	Needed
	lunar	Needed
	xenial	Needed
	mantic	Needed
grpc Launchpad, Ubuntu, Debian	bionic	Needed
	cosmic	Ignored (end of life)
	focal	Needed
	kinetic	Ignored (end of life, was needed)
	hirsute	Ignored (end of life)
	disco	Ignored (end of life)
	eoan	Ignored (end of life)
	groovy	Ignored (end of life)
	impish	Ignored (end of life)
	jammy	Needed
	lunar	Needed
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needed
	mantic	Needed
h2o Launchpad, Ubuntu, Debian	impish	Not vulnerable (2.2.5+dfsg2-3)
	hirsute	Not vulnerable (2.2.5+dfsg2-3)
	bionic	Needed
	disco	Released (2.2.5+dfsg2-2+deb10u1build0.19.04.1)
	eoan	Not vulnerable (2.2.5+dfsg2-3)
	focal	Not vulnerable (2.2.5+dfsg2-3)
	groovy	Not vulnerable (2.2.5+dfsg2-3)
	jammy	Not vulnerable (2.2.5+dfsg2-3)
	kinetic	Not vulnerable (2.2.5+dfsg2-3)
	lunar	Not vulnerable (2.2.5+dfsg2-3)
	trusty	Does not exist
	upstream	Released (2.2.5+dfsg2-3)
	xenial	Does not exist
	mantic	Not vulnerable (2.2.5+dfsg2-3)
nginx Launchpad, Ubuntu, Debian	impish	Not vulnerable (fixed for CVE-2018-16844)
	hirsute	Not vulnerable (fixed for CVE-2018-16844)
	bionic	Not vulnerable (fixed for CVE-2018-16844)
	cosmic	Not vulnerable (fixed for CVE-2018-16844)
	disco	Not vulnerable (fixed for CVE-2018-16844)
	eoan	Not vulnerable (fixed for CVE-2018-16844)
	focal	Not vulnerable (fixed for CVE-2018-16844)
	groovy	Not vulnerable (fixed for CVE-2018-16844)
	jammy	Not vulnerable (fixed for CVE-2018-16844)
	kinetic	Not vulnerable (fixed for CVE-2018-16844)
	lunar	Not vulnerable (fixed for CVE-2018-16844)
	trusty	Not vulnerable (http2 support not implemented)
	upstream	Needs triage
	xenial	Not vulnerable (fixed for CVE-2018-16844)
	mantic	Not vulnerable (fixed for CVE-2018-16844)
trafficserver Launchpad, Ubuntu, Debian	impish	Not vulnerable (8.0.5+ds-1)
	hirsute	Not vulnerable (8.0.5+ds-1)
	bionic	Needed
	cosmic	Ignored (end of life)
	disco	Ignored (end of life)
	eoan	Not vulnerable (8.0.5+ds-1)
	focal	Not vulnerable (8.0.5+ds-1)
	groovy	Not vulnerable (8.0.5+ds-1)
	jammy	Not vulnerable (8.0.5+ds-1)
	kinetic	Not vulnerable (8.0.5+ds-1)
	lunar	Not vulnerable (8.0.5+ds-1)
	trusty	Does not exist
	upstream	Needs triage
	xenial	Needs triage
	mantic	Not vulnerable (8.0.5+ds-1)
twisted Launchpad, Ubuntu, Debian	impish	Released (18.9.0-6ubuntu1)
	hirsute	Released (18.9.0-6ubuntu1)
	bionic	Released (17.9.0-2ubuntu0.1)
	cosmic	Ignored (end of life)
	disco	Ignored (end of life)
	eoan	Released (18.9.0-3ubuntu1.1)
	focal	Released (18.9.0-6ubuntu1)
	groovy	Released (18.9.0-6ubuntu1)
	jammy	Released (18.9.0-6ubuntu1)
	kinetic	Released (18.9.0-6ubuntu1)
	lunar	Released (18.9.0-6ubuntu1)
	trusty	Not vulnerable (http2 support not implemented)
	upstream	Released (19.10.0)
	xenial	Not vulnerable (http2 support not implemented)
	mantic	Released (18.9.0-6ubuntu1)
	Patches: upstream: https://github.com/twisted/twisted/commit/1595d9adc21c580065d1d6036c9611c411990816
netty Launchpad, Ubuntu, Debian	kinetic	Ignored (end of life, was needed)
	hirsute	Ignored (end of life)
	bionic	Released (1:4.1.7-4ubuntu0.1+esm1) Available with Ubuntu Pro
	cosmic	Ignored (end of life)
	disco	Ignored (end of life)
	eoan	Ignored (end of life)
	focal	Needed
	groovy	Ignored (end of life)
	impish	Ignored (end of life)
	jammy	Needed
	lunar	Needed
	trusty	Not vulnerable (http2 support not implemented)
	upstream	Needs triage
	xenial	Not vulnerable (http2 support not implemented)
	mantic	Needed

Severity score breakdown

Parameter	Value
Base score	7.5
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›