Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2019-9515

Published: 13 August 2019

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

From the Ubuntu Security Team

It was discovered that Netty incorrectly implements HTTP/2. An attacker could possibly use this issue to cause a denial of service.

Notes

AuthorNote
sbeattie
nginx added http2 support in 1.9.5
nginx previously fixed issue for CVE-2018-16844
netty added http2 support in 4.1.0
twisted added http2 support in 16.3
trafficserver enabled http2 support by default in 7.0

Priority

Medium

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
golang-google-grpc
Launchpad, Ubuntu, Debian
bionic Needed

cosmic Ignored
(end of life)
disco Ignored
(end of life)
eoan Ignored
(end of life)
focal Needed

trusty Does not exist

upstream Needs triage

kinetic Ignored
(end of life, was needed)
hirsute Ignored
(end of life)
groovy Ignored
(end of life)
impish Ignored
(end of life)
jammy Needed

xenial Needed

mantic Needed

lunar Ignored
(end of life, was needed)
grpc
Launchpad, Ubuntu, Debian
bionic Needed

cosmic Ignored
(end of life)
focal Needed

kinetic Ignored
(end of life, was needed)
hirsute Ignored
(end of life)
disco Ignored
(end of life)
eoan Ignored
(end of life)
groovy Ignored
(end of life)
impish Ignored
(end of life)
jammy Needed

trusty Does not exist

upstream Needs triage

xenial Needed

mantic Needed

lunar Ignored
(end of life, was needed)
h2o
Launchpad, Ubuntu, Debian
impish Not vulnerable
(2.2.5+dfsg2-3)
hirsute Not vulnerable
(2.2.5+dfsg2-3)
bionic Needed

disco
Released (2.2.5+dfsg2-2+deb10u1build0.19.04.1)
eoan Not vulnerable
(2.2.5+dfsg2-3)
focal Not vulnerable
(2.2.5+dfsg2-3)
groovy Not vulnerable
(2.2.5+dfsg2-3)
jammy Not vulnerable
(2.2.5+dfsg2-3)
kinetic Not vulnerable
(2.2.5+dfsg2-3)
lunar Not vulnerable
(2.2.5+dfsg2-3)
trusty Does not exist

upstream
Released (2.2.5+dfsg2-3)
xenial Does not exist

mantic Not vulnerable
(2.2.5+dfsg2-3)
nginx
Launchpad, Ubuntu, Debian
impish Not vulnerable
(fixed for CVE-2018-16844)
hirsute Not vulnerable
(fixed for CVE-2018-16844)
bionic Not vulnerable
(fixed for CVE-2018-16844)
cosmic Not vulnerable
(fixed for CVE-2018-16844)
disco Not vulnerable
(fixed for CVE-2018-16844)
eoan Not vulnerable
(fixed for CVE-2018-16844)
focal Not vulnerable
(fixed for CVE-2018-16844)
groovy Not vulnerable
(fixed for CVE-2018-16844)
jammy Not vulnerable
(fixed for CVE-2018-16844)
kinetic Not vulnerable
(fixed for CVE-2018-16844)
lunar Not vulnerable
(fixed for CVE-2018-16844)
trusty Not vulnerable
(http2 support not implemented)
upstream Needs triage

xenial Not vulnerable
(fixed for CVE-2018-16844)
mantic Not vulnerable
(fixed for CVE-2018-16844)
trafficserver
Launchpad, Ubuntu, Debian
impish Not vulnerable
(8.0.5+ds-1)
hirsute Not vulnerable
(8.0.5+ds-1)
bionic Needed

cosmic Ignored
(end of life)
disco Ignored
(end of life)
eoan Not vulnerable
(8.0.5+ds-1)
focal Not vulnerable
(8.0.5+ds-1)
groovy Not vulnerable
(8.0.5+ds-1)
jammy Not vulnerable
(8.0.5+ds-1)
kinetic Not vulnerable
(8.0.5+ds-1)
lunar Not vulnerable
(8.0.5+ds-1)
trusty Does not exist

upstream Needs triage

xenial Needs triage

mantic Not vulnerable
(8.0.5+ds-1)
twisted
Launchpad, Ubuntu, Debian
impish
Released (18.9.0-6ubuntu1)
hirsute
Released (18.9.0-6ubuntu1)
bionic
Released (17.9.0-2ubuntu0.1)
cosmic Ignored
(end of life)
disco Ignored
(end of life)
eoan
Released (18.9.0-3ubuntu1.1)
focal
Released (18.9.0-6ubuntu1)
groovy
Released (18.9.0-6ubuntu1)
jammy
Released (18.9.0-6ubuntu1)
kinetic
Released (18.9.0-6ubuntu1)
lunar
Released (18.9.0-6ubuntu1)
trusty Not vulnerable
(http2 support not implemented)
upstream
Released (19.10.0)
xenial Not vulnerable
(http2 support not implemented)
mantic
Released (18.9.0-6ubuntu1)
Patches:
upstream: https://github.com/twisted/twisted/commit/1595d9adc21c580065d1d6036c9611c411990816
netty
Launchpad, Ubuntu, Debian
kinetic Ignored
(end of life, was needed)
hirsute Ignored
(end of life)
bionic
Released (1:4.1.7-4ubuntu0.1+esm1)
Available with Ubuntu Pro
cosmic Ignored
(end of life)
disco Ignored
(end of life)
eoan Ignored
(end of life)
focal Needed

groovy Ignored
(end of life)
impish Ignored
(end of life)
jammy Needed

trusty Not vulnerable
(http2 support not implemented)
upstream Needs triage

xenial Not vulnerable
(http2 support not implemented)
mantic Needed

lunar Ignored
(end of life, was needed)

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H