PublicDateAtUSN: 2019-08-13 Candidate: CVE-2019-9515 CRD: 2019-08-13 PublicDate: 2019-08-13 21:15:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515 https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md https://netty.io/news/2019/08/13/4-1-39-Final.html http://blog.kazuhooku.com/2019/08/h2o-version-226-230-beta2-released.html https://github.com/netty/netty/pull/9460 https://labs.twistedmatrix.com/2019/11/twisted-19100-released.html https://ubuntu.com/security/notices/USN-4308-1 Description: Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. Ubuntu-Description: It was discovered that Netty incorrectly implements HTTP/2. An attacker could possibly use this issue to cause a denial of service. Notes: sbeattie> nginx added http2 support in 1.9.5 sbeattie> nginx previously fixed issue for CVE-2018-16844 sbeattie> netty added http2 support in 4.1.0 sbeattie> twisted added http2 support in 16.3 sbeattie> trafficserver enabled http2 support by default in 7.0 Bugs: Priority: medium Discovered-by: Jonathan Looney of Netflix Assigned-to: CVSS: nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH] nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH] Patches_nginx: upstream_nginx: needs-triage precise/esm_nginx: DNE trusty_nginx: ignored (out of standard support) trusty/esm_nginx: not-affected (http2 support not implemented) xenial_nginx: not-affected (fixed for CVE-2018-16844) esm-infra/xenial_nginx: not-affected (fixed for CVE-2018-16844) bionic_nginx: not-affected (fixed for CVE-2018-16844) cosmic_nginx: not-affected (fixed for CVE-2018-16844) disco_nginx: not-affected (fixed for CVE-2018-16844) eoan_nginx: not-affected (fixed for CVE-2018-16844) focal_nginx: not-affected (fixed for CVE-2018-16844) groovy_nginx: not-affected (fixed for CVE-2018-16844) hirsute_nginx: not-affected (fixed for CVE-2018-16844) impish_nginx: not-affected (fixed for CVE-2018-16844) jammy_nginx: not-affected (fixed for CVE-2018-16844) devel_nginx: not-affected (fixed for CVE-2018-16844) Patches_netty: upstream_netty: needs-triage precise/esm_netty: DNE trusty_netty: ignored (out of standard support) trusty/esm_netty: not-affected (http2 support not implemented) xenial_netty: not-affected (http2 support not implemented) bionic_netty: needed cosmic_netty: ignored (reached end-of-life) disco_netty: ignored (reached end-of-life) eoan_netty: ignored (reached end-of-life) focal_netty: needed groovy_netty: ignored (reached end-of-life) hirsute_netty: ignored (reached end-of-life) impish_netty: needed jammy_netty: needed devel_netty: needed Patches_grpc: upstream_grpc: needs-triage precise/esm_grpc: DNE trusty_grpc: DNE trusty/esm_grpc: DNE xenial_grpc: ignored (end of standard support, was needed) bionic_grpc: needed cosmic_grpc: ignored (reached end-of-life) disco_grpc: ignored (reached end-of-life) eoan_grpc: ignored (reached end-of-life) focal_grpc: needed groovy_grpc: ignored (reached end-of-life) hirsute_grpc: ignored (reached end-of-life) impish_grpc: needed jammy_grpc: needed devel_grpc: needed Patches_golang-google-grpc: upstream_golang-google-grpc: needs-triage precise/esm_golang-google-grpc: DNE trusty_golang-google-grpc: DNE trusty/esm_golang-google-grpc: DNE xenial_golang-google-grpc: ignored (end of standard support, was needed) bionic_golang-google-grpc: needed cosmic_golang-google-grpc: ignored (reached end-of-life) disco_golang-google-grpc: ignored (reached end-of-life) eoan_golang-google-grpc: ignored (reached end-of-life) focal_golang-google-grpc: needed groovy_golang-google-grpc: ignored (reached end-of-life) hirsute_golang-google-grpc: ignored (reached end-of-life) impish_golang-google-grpc: needed jammy_golang-google-grpc: needed devel_golang-google-grpc: needed Patches_twisted: upstream: https://github.com/twisted/twisted/commit/1595d9adc21c580065d1d6036c9611c411990816 upstream_twisted: released (19.10.0) precise/esm_twisted: not-affected (http2 support not implemented) trusty_twisted: ignored (out of standard support) trusty/esm_twisted: not-affected (http2 support not implemented) xenial_twisted: not-affected (http2 support not implemented) esm-infra/xenial_twisted: not-affected (http2 support not implemented) bionic_twisted: released (17.9.0-2ubuntu0.1) cosmic_twisted: ignored (reached end-of-life) disco_twisted: ignored (reached end-of-life) eoan_twisted: released (18.9.0-3ubuntu1.1) focal_twisted: released (18.9.0-6ubuntu1) groovy_twisted: released (18.9.0-6ubuntu1) hirsute_twisted: released (18.9.0-6ubuntu1) impish_twisted: released (18.9.0-6ubuntu1) jammy_twisted: released (18.9.0-6ubuntu1) devel_twisted: released (18.9.0-6ubuntu1) Patches_trafficserver: upstream_trafficserver: needs-triage precise/esm_trafficserver: DNE trusty_trafficserver: ignored (out of standard support) trusty/esm_trafficserver: DNE xenial_trafficserver: ignored (end of standard support, was needs-triage) bionic_trafficserver: needed cosmic_trafficserver: ignored (reached end-of-life) disco_trafficserver: ignored (reached end-of-life) eoan_trafficserver: not-affected (8.0.5+ds-1) focal_trafficserver: not-affected (8.0.5+ds-1) groovy_trafficserver: not-affected (8.0.5+ds-1) hirsute_trafficserver: not-affected (8.0.5+ds-1) impish_trafficserver: not-affected (8.0.5+ds-1) jammy_trafficserver: not-affected (8.0.5+ds-1) devel_trafficserver: not-affected (8.0.5+ds-1) Patches_h2o: upstream_h2o: released (2.2.5+dfsg2-3) precise/esm_h2o: DNE trusty_h2o: ignored (out of standard support) trusty/esm_h2o: DNE xenial_h2o: DNE bionic_h2o: needed disco_h2o: released (2.2.5+dfsg2-2+deb10u1build0.19.04.1) eoan_h2o: not-affected (2.2.5+dfsg2-3) focal_h2o: not-affected (2.2.5+dfsg2-3) groovy_h2o: not-affected (2.2.5+dfsg2-3) hirsute_h2o: not-affected (2.2.5+dfsg2-3) impish_h2o: not-affected (2.2.5+dfsg2-3) jammy_h2o: not-affected (2.2.5+dfsg2-3) devel_h2o: not-affected (2.2.5+dfsg2-3)