CVE-2019-9515
Summary
| CVE | CVE-2019-9515 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-08-13 21:15:00 UTC |
| Updated | 2023-11-07 03:13:00 UTC |
| Description | Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. |
Risk And Classification
Problem Types: CWE-770
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Traffic Server | All | All | All | All |
| Application | Apache | Traffic Server | All | All | All | All |
| Application | Apache | Traffic Server | All | All | All | All |
| Operating System | Apple | Mac Os X | All | All | All | All |
| Operating System | Apple | Mac Os X | All | All | All | All |
| Application | Apple | Swiftnio | All | All | All | All |
| Operating System | Canonical | Ubuntu Linux | All | All | All | All |
| Operating System | Canonical | Ubuntu Linux | All | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 16.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 18.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 19.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 16.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 18.04 | All | All | All |
| Operating System | Canonical | Ubuntu Linux | 19.04 | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Application | F5 | Big-ip Local Traffic Manager | All | All | All | All |
| Application | F5 | Big-ip Local Traffic Manager | All | All | All | All |
| Operating System | Fedoraproject | Fedora | 29 | All | All | All |
| Operating System | Fedoraproject | Fedora | 30 | All | All | All |
| Operating System | Fedoraproject | Fedora | 29 | All | All | All |
| Operating System | Fedoraproject | Fedora | 30 | All | All | All |
| Application | Mcafee | Web Gateway | All | All | All | All |
| Application | Mcafee | Web Gateway | All | All | All | All |
| Application | Nodejs | Node.js | All | All | All | All |
| Application | Nodejs | Node.js | All | All | All | All |
| Application | Nodejs | Node.js | All | All | All | All |
| Application | Nodejs | Node.js | All | All | All | All |
| Operating System | Opensuse | Leap | 15.0 | All | All | All |
| Operating System | Opensuse | Leap | 15.1 | All | All | All |
| Operating System | Opensuse | Leap | 15.0 | All | All | All |
| Operating System | Opensuse | Leap | 15.1 | All | All | All |
| Application | Oracle | Graalvm | 19.2.0 | All | All | All |
| Application | Oracle | Graalvm | 19.2.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 8.0 | All | All | All |
| Operating System | Redhat | Enterprise Linux | 8.0 | All | All | All |
| Application | Redhat | Jboss Core Services | 1.0 | All | All | All |
| Application | Redhat | Jboss Core Services | 1.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.2.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.3.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.2.0 | All | All | All |
| Application | Redhat | Jboss Enterprise Application Platform | 7.3.0 | All | All | All |
| Application | Redhat | Openshift Container Platform | 4.1 | All | All | All |
| Application | Redhat | Openshift Container Platform | 4.1 | All | All | All |
| Application | Redhat | Openshift Service Mesh | 1.0 | All | All | All |
| Application | Redhat | Openshift Service Mesh | 1.0 | All | All | All |
| Application | Redhat | Openstack | 14 | All | All | All |
| Application | Redhat | Openstack | 14 | All | All | All |
| Application | Redhat | Quay | 3.0.0 | All | All | All |
| Application | Redhat | Quay | 3.0.0 | All | All | All |
| Application | Redhat | Single Sign-on | 7.3 | All | All | All |
| Application | Redhat | Single Sign-on | 7.3 | All | All | All |
| Application | Redhat | Software Collections | 1.0 | All | All | All |
| Application | Redhat | Software Collections | 1.0 | All | All | All |
| Application | Synology | Diskstation Manager | 6.2 | All | All | All |
| Application | Synology | Diskstation Manager | 6.2 | All | All | All |
| Application | Synology | Skynas | - | All | All | All |
| Application | Synology | Skynas | - | All | All | All |
| Hardware | Synology | Vs960hd | - | All | All | All |
| Hardware | Synology | Vs960hd | - | All | All | All |
| Operating System | Synology | Vs960hd Firmware | - | All | All | All |
| Operating System | Synology | Vs960hd Firmware | - | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Pony Mail! | MLIST | lists.apache.org | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Bugtraq: [SECURITY] [DSA 4520-1] trafficserver security update | BUGTRAQ | seclists.org | Mailing List, Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| [SECURITY] Fedora 29 Update: nodejs-10.16.3-1.fc29 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | Mailing List, Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Full Disclosure: APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0 | FULLDISC | seclists.org | Mailing List, Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Bugtraq: APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0 | BUGTRAQ | seclists.org | Mailing List, Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| myF5 | support.f5.com | ||
| Pony Mail! | MLIST | lists.apache.org | Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| McAfee Security Bulletin - Updates and product status for HTTP/2 vulnerabilities (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518, CVE-2019-3643, and CVE-2019-3644) | CONFIRM | kc.mcafee.com | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| USN-4308-1: Twisted vulnerabilities | Ubuntu security notices | Ubuntu | UBUNTU | usn.ubuntu.com | Third Party Advisory |
| August 2019 Node.js Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | Third Party Advisory |
| Synology Inc. | CONFIRM | www.synology.com | Third Party Advisory |
| Pony Mail! | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| [security-announce] openSUSE-SU-2019:2115-1: important: Security update | SUSE | lists.opensuse.org | Mailing List, Third Party Advisory |
| Debian -- Security Information -- DSA-4508-1 h2o | DEBIAN | www.debian.org | Third Party Advisory |
| security-bulletins/2019-002.md at master · Netflix/security-bulletins · GitHub | MISC | github.com | Third Party Advisory |
| support.f5.com/csp/article/K50233772 | CONFIRM | support.f5.com | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| [SECURITY] Fedora 29 Update: nodejs-10.16.3-1.fc29 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 30 Update: nodejs-10.16.3-1.fc30 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Debian -- Security Information -- DSA-4520-1 trafficserver | DEBIAN | www.debian.org | Third Party Advisory |
| Bugtraq: [SECURITY] [DSA 4508-1] h2o security update | BUGTRAQ | seclists.org | Mailing List, Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| support.f5.com/csp/article/K50233772 | CONFIRM | support.f5.com | Third Party Advisory |
| [security-announce] openSUSE-SU-2019:2114-1: important: Security update | SUSE | lists.opensuse.org | Mailing List, Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| [SECURITY] Fedora 30 Update: nodejs-10.16.3-1.fc30 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | Mailing List, Third Party Advisory |
| VU#605641 - HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion | CERT-VN | kb.cert.org | Third Party Advisory, US Government Resource |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| Red Hat Customer Portal | REDHAT | access.redhat.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Thanks to Jonathan Looney of Netflix for reporting this vulnerability.
Legacy QID Mappings
- 296079 Oracle Solaris 11.4 Support Repository Update (SRU) 15.5.0 Missing (CPUOCT2019)
- 500434 Alpine Linux Security Update for nodejs
- 500854 Alpine Linux Security Update for containerd
- 500995 Alpine Linux Security Update for h2o
- 501367 Alpine Linux Security Update for py3-twisted
- 504197 Alpine Linux Security Update for nodejs
- 504636 Alpine Linux Security Update for containerd
- 690329 Free Berkeley Software Distribution (FreeBSD) Security Update for h2o (73b1e734-c74e-11e9-8052-0028f8d09152)
- 940051 AlmaLinux Security Update for nodejs:10 (ALSA-2019:2925)