Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2019-9513

Published: 13 August 2019

Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU.

Notes

AuthorNote
sbeattie
nginx added http2 support in 1.9.5
nghttp2: nghttpd and nghttp are affected, libnghttp2 is not
mdeslaur
nghttp2-server is in universe
sahnaseredini
nodejs patch is a version upgrade

Priority

Medium

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
nghttp2
Launchpad, Ubuntu, Debian
xenial Needed

impish Not vulnerable
(1.39.2-1)
hirsute Not vulnerable
(1.39.2-1)
jammy Not vulnerable
(1.39.2-1)
bionic Needed

cosmic Ignored
(end of life)
disco Ignored
(end of life)
eoan Not vulnerable
(1.39.2-1)
focal Not vulnerable
(1.39.2-1)
groovy Not vulnerable
(1.39.2-1)
kinetic Not vulnerable
(1.39.2-1)
lunar Not vulnerable
(1.39.2-1)
trusty Does not exist

upstream
Released (1.39.2)
mantic Not vulnerable
(1.39.2-1)
Binaries built from this source package are in Universe and so are supported by the community.
nginx
Launchpad, Ubuntu, Debian
impish
Released (1.16.1-0ubuntu1)
hirsute
Released (1.16.1-0ubuntu1)
jammy
Released (1.16.1-0ubuntu1)
bionic
Released (1.14.0-0ubuntu1.4)
cosmic Ignored
(end of life)
disco
Released (1.15.9-0ubuntu1.1)
eoan
Released (1.16.1-0ubuntu1)
focal
Released (1.16.1-0ubuntu1)
groovy
Released (1.16.1-0ubuntu1)
kinetic
Released (1.16.1-0ubuntu1)
lunar
Released (1.16.1-0ubuntu1)
trusty Not vulnerable
(http2 support not implemented)
upstream Needs triage

xenial
Released (1.10.3-0ubuntu0.16.04.4)
mantic
Released (1.16.1-0ubuntu1)
Patches:
upstream: https://github.com/nginx/nginx/commit/39bb3b9d4a33bd03c8ae0134dedc8a7700ae7b2b
nodejs
Launchpad, Ubuntu, Debian
kinetic Ignored
(end of life, was needs-triage)
jammy Not vulnerable
(12.22.9~dfsg-1ubuntu3)
upstream Needs triage

bionic Ignored
(changes too intrusive)
trusty Ignored
(changes too intrusive)
focal Not vulnerable
(10.19.0~dfsg-3ubuntu1)
groovy Ignored
(end of life)
hirsute Ignored
(end of life)
xenial Ignored
(changes too intrusive)
impish Ignored
(end of life)
lunar Not vulnerable
(18.13.0+dfsg1-1ubuntu2)
mantic Not vulnerable
(18.13.0+dfsg1-1ubuntu2)

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H