Your submission was sent successfully! Close

CVE-2019-9515

Published: 13 August 2019

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

From the Ubuntu security team

It was discovered that Netty incorrectly implements HTTP/2. An attacker could possibly use this issue to cause a denial of service.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
golang-google-grpc
Launchpad, Ubuntu, Debian
bionic Needed

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needed

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Needed

jammy Needed

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needed)
grpc
Launchpad, Ubuntu, Debian
bionic Needed

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needed

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Needed

jammy Needed

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needed)
h2o
Launchpad, Ubuntu, Debian
bionic Needed

disco
Released (2.2.5+dfsg2-2+deb10u1build0.19.04.1)
eoan Not vulnerable
(2.2.5+dfsg2-3)
focal Not vulnerable
(2.2.5+dfsg2-3)
groovy Not vulnerable
(2.2.5+dfsg2-3)
hirsute Not vulnerable
(2.2.5+dfsg2-3)
impish Not vulnerable
(2.2.5+dfsg2-3)
jammy Not vulnerable
(2.2.5+dfsg2-3)
precise Does not exist

trusty Does not exist

upstream
Released (2.2.5+dfsg2-3)
xenial Does not exist

netty
Launchpad, Ubuntu, Debian
bionic Needed

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needed

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Needed

jammy Needed

precise Does not exist

trusty Not vulnerable
(http2 support not implemented)
upstream Needs triage

xenial Not vulnerable
(http2 support not implemented)
nginx
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(fixed for CVE-2018-16844)
cosmic Not vulnerable
(fixed for CVE-2018-16844)
disco Not vulnerable
(fixed for CVE-2018-16844)
eoan Not vulnerable
(fixed for CVE-2018-16844)
focal Not vulnerable
(fixed for CVE-2018-16844)
groovy Not vulnerable
(fixed for CVE-2018-16844)
hirsute Not vulnerable
(fixed for CVE-2018-16844)
impish Not vulnerable
(fixed for CVE-2018-16844)
jammy Not vulnerable
(fixed for CVE-2018-16844)
precise Does not exist

trusty Not vulnerable
(http2 support not implemented)
upstream Needs triage

xenial Not vulnerable
(fixed for CVE-2018-16844)
trafficserver
Launchpad, Ubuntu, Debian
bionic Needed

cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Not vulnerable
(8.0.5+ds-1)
focal Not vulnerable
(8.0.5+ds-1)
groovy Not vulnerable
(8.0.5+ds-1)
hirsute Not vulnerable
(8.0.5+ds-1)
impish Not vulnerable
(8.0.5+ds-1)
jammy Not vulnerable
(8.0.5+ds-1)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)
twisted
Launchpad, Ubuntu, Debian
bionic
Released (17.9.0-2ubuntu0.1)
cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan
Released (18.9.0-3ubuntu1.1)
focal
Released (18.9.0-6ubuntu1)
groovy
Released (18.9.0-6ubuntu1)
hirsute
Released (18.9.0-6ubuntu1)
impish
Released (18.9.0-6ubuntu1)
jammy
Released (18.9.0-6ubuntu1)
precise Not vulnerable
(http2 support not implemented)
trusty Not vulnerable
(http2 support not implemented)
upstream
Released (19.10.0)
xenial Not vulnerable
(http2 support not implemented)