CVE-2019-9515

Priority
Description
Some HTTP/2 implementations are vulnerable to a settings flood, potentially
leading to a denial of service. The attacker sends a stream of SETTINGS
frames to the peer. Since the RFC requires that the peer reply with one
acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost
equivalent in behavior to a ping. Depending on how efficiently this data is
queued, this can consume excess CPU, memory, or both.
Notes
 sbeattie> nginx added http2 support in 1.9.5
 sbeattie> nginx previously fixed issue for CVE-2018-16844
 sbeattie> netty added http2 support in 4.1.0
 sbeattie> twisted added http2 support in 16.3
 sbeattie> trafficserver enabled http2 support by default in 7.0
 mdeslaur>
 mdeslaur> no details on any possible twisted fixes as of 2019-09-16
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan):needed
Package
Source: grpc (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan):needed
Package
Source: h2o (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 19.04 (Disco Dingo):released (2.2.5+dfsg2-2+deb10u1build0.19.04.1)
Ubuntu 19.10 (Eoan):not-affected (2.2.5+dfsg2-3)
Package
Source: netty (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (http2 support not implemented)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (http2 support not implemented)
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan):needed
Package
Source: nginx (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (http2 support not implemented)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (fixed for CVE-2018-16844)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (fixed for CVE-2018-16844)
Ubuntu 19.04 (Disco Dingo):not-affected (fixed for CVE-2018-16844)
Ubuntu 19.10 (Eoan):not-affected (fixed for CVE-2018-16844)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan):needed
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):not-affected (http2 support not implemented)
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (http2 support not implemented)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (http2 support not implemented)
Ubuntu 18.04 LTS (Bionic Beaver):deferred (2019-09-16)
Ubuntu 19.04 (Disco Dingo):deferred (2019-09-16)
Ubuntu 19.10 (Eoan):deferred (2019-09-16)
More Information

Updated: 2019-09-19 14:55:15 UTC (commit d32ebc32606b9517c6fa7d65a15441e2a57a6de5)