CVE-2019-9515

Priority
Description
Some HTTP/2 implementations are vulnerable to a settings flood, potentially
leading to a denial of service. The attacker sends a stream of SETTINGS
frames to the peer. Since the RFC requires that the peer reply with one
acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost
equivalent in behavior to a ping. Depending on how efficiently this data is
queued, this can consume excess CPU, memory, or both.
Ubuntu-Description
It was discovered that Netty incorrectly implements HTTP/2. An attacker could
possibly use this issue to cause a denial of service.
Notes
sbeattienginx added http2 support in 1.9.5
nginx previously fixed issue for CVE-2018-16844
netty added http2 support in 4.1.0
twisted added http2 support in 16.3
trafficserver enabled http2 support by default in 7.0
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.10 (Eoan Ermine):needed
Ubuntu 20.04 (Focal Fossa):needed
Package
Source: grpc (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.10 (Eoan Ermine):needed
Ubuntu 20.04 (Focal Fossa):needed
Package
Source: h2o (LP Ubuntu Debian)
Upstream:released (2.2.5+dfsg2-3)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.10 (Eoan Ermine):not-affected (2.2.5+dfsg2-3)
Ubuntu 20.04 (Focal Fossa):not-affected (2.2.5+dfsg2-3)
Package
Source: netty (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (http2 support not implemented)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (http2 support not implemented)
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.10 (Eoan Ermine):needed
Ubuntu 20.04 (Focal Fossa):needed
Package
Source: nginx (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (http2 support not implemented)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (fixed for CVE-2018-16844)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (fixed for CVE-2018-16844)
Ubuntu 19.10 (Eoan Ermine):not-affected (fixed for CVE-2018-16844)
Ubuntu 20.04 (Focal Fossa):not-affected (fixed for CVE-2018-16844)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.10 (Eoan Ermine):not-affected (8.0.5+ds-1)
Ubuntu 20.04 (Focal Fossa):not-affected (8.0.5+ds-1)
Package
Upstream:released (19.10.0)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (http2 support not implemented)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (http2 support not implemented)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (http2 support not implemented)
Ubuntu 18.04 LTS (Bionic Beaver):released (17.9.0-2ubuntu0.1)
Ubuntu 19.10 (Eoan Ermine):released (18.9.0-3ubuntu1.1)
Ubuntu 20.04 (Focal Fossa):released (18.9.0-6ubuntu1)
Patches:
Upstream:https://github.com/twisted/twisted/commit/1595d9adc21c580065d1d6036c9611c411990816
More Information

Updated: 2020-03-19 20:14:41 UTC (commit 3533a7fc1ab97702d9ed96d1b38f0316b43895d2)