CVE-2019-9515

HIGH

Description

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

References

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html

http://seclists.org/fulldisclosure/2019/Aug/16

https://access.redhat.com/errata/RHSA-2019:2766

https://access.redhat.com/errata/RHSA-2019:2796

https://access.redhat.com/errata/RHSA-2019:2861

https://access.redhat.com/errata/RHSA-2019:2925

https://access.redhat.com/errata/RHSA-2019:2939

https://access.redhat.com/errata/RHSA-2019:2955

https://access.redhat.com/errata/RHSA-2019:3892

https://access.redhat.com/errata/RHSA-2019:4018

https://access.redhat.com/errata/RHSA-2019:4019

https://access.redhat.com/errata/RHSA-2019:4020

https://access.redhat.com/errata/RHSA-2019:4021

https://access.redhat.com/errata/RHSA-2019:4040

https://access.redhat.com/errata/RHSA-2019:4041

https://access.redhat.com/errata/RHSA-2019:4042

https://access.redhat.com/errata/RHSA-2019:4045

https://access.redhat.com/errata/RHSA-2019:4352

https://access.redhat.com/errata/RHSA-2020:0727

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

https://kb.cert.org/vuls/id/605641/

https://kc.mcafee.com/corporate/index?page=content&id=SB10296

https://lists.apache.org/thread.html/[email protected]%3Cusers.trafficserver.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cannounce.trafficserver.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.trafficserver.apache.org%3E

https://lists.fedoraproject.org/archives/list/[email protected]/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/

https://lists.fedoraproject.org/archives/list/[email protected]/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/

https://seclists.org/bugtraq/2019/Aug/24

https://seclists.org/bugtraq/2019/Aug/43

https://seclists.org/bugtraq/2019/Sep/18

https://security.netapp.com/advisory/ntap-20190823-0005/

https://support.f5.com/csp/article/K50233772

https://support.f5.com/csp/article/K50233772?utm_source=f5support&utm_medium=RSS

https://usn.ubuntu.com/4308-1/

https://www.debian.org/security/2019/dsa-4508

https://www.debian.org/security/2019/dsa-4520

https://www.synology.com/security/advisory/Synology_SA_19_33

Details

Source: MITRE

Published: 2019-08-13

Updated: 2020-10-22

Type: CWE-770

Risk Information

CVSS v2.0

Base Score: 7.8

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

Impact Score: 6.9

Exploitability Score: 10

Severity: HIGH

CVSS v3.0

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

AND

OR

cpe:2.3:a:apple:swiftnio:*:*:*:*:*:*:*:*

OR

cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:* versions from 6.0.0 to 6.2.3 (inclusive)

cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:* versions from 7.0.0 to 7.1.6 (inclusive)

cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:* versions from 8.0.0 to 8.0.3 (inclusive)

Configuration 3

OR

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:a:synology:diskstation_manager:6.2:*:*:*:*:*:*:*

cpe:2.3:a:synology:skynas:-:*:*:*:*:*:*:*

Configuration 6

AND

OR

cpe:2.3:o:synology:vs960hd_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:synology:vs960hd:-:*:*:*:*:*:*:*

Configuration 7

OR

cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

Configuration 8

OR

cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 9

OR

cpe:2.3:a:redhat:jboss_core_services:1.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*

cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*

cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*

cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Configuration 10

OR

cpe:2.3:a:oracle:graalvm:19.2.0:*:*:*:enterprise:*:*:*

Configuration 11

OR

cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*

cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*

cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*

Configuration 12

OR

cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*

cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*

Tenable Plugins

View all (29 total)

IDNameProductFamilySeverity
147293NewStart CGSL CORE 5.04 / MAIN 5.04 : containerd.io Multiple Vulnerabilities (NS-SA-2021-0006)NessusNewStart CGSL Local Security Checks
high
145589CentOS 8 : nodejs:10 (CESA-2019:2925)NessusCentOS Local Security Checks
high
138340Arista Networks CloudVision Portal Multiple Vulnerabilities (SA0043)NessusMisc.
high
135883FreeBSD : py-twisted -- multiple vulnerabilities (9fbaefb3-837e-11ea-b5b4-641c67a117d8) (Ping Flood) (Reset Flood) (Settings Flood)NessusFreeBSD Local Security Checks
high
134758Ubuntu 16.04 LTS / 18.04 LTS / 19.10 : Twisted vulnerabilities (USN-4308-1) (Ping Flood) (Reset Flood) (Settings Flood)NessusUbuntu Local Security Checks
high
134419Arista Networks EOS Multiple Vulnerabilities (SA0043)NessusMisc.
high
132767SUSE SLES12 Security Update : nodejs12 (SUSE-SU-2020:0059-1) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusSuSE Local Security Checks
medium
132314Red Hat JBoss Enterprise Application Platform 7.x < 7.2.5 Multiple VulnerabilitiesNessusCGI abuses
medium
131529RHEL 8 : Red Hat Single Sign-On 7.3.5 (RHSA-2019:4042) (Ping Flood) (Reset Flood) (Settings Flood)NessusRed Hat Local Security Checks
medium
131528RHEL 7 : Red Hat Single Sign-On 7.3.5 (RHSA-2019:4041) (Ping Flood) (Reset Flood) (Settings Flood)NessusRed Hat Local Security Checks
medium
131527RHEL 6 : Red Hat Single Sign-On 7.3.5 (RHSA-2019:4040) (Ping Flood) (Reset Flood) (Settings Flood)NessusRed Hat Local Security Checks
medium
131524RHEL 8 : JBoss EAP (RHSA-2019:4020) (Data Dribble) (Ping Flood) (Reset Flood) (Settings Flood)NessusRed Hat Local Security Checks
medium
131523RHEL 7 : JBoss EAP (RHSA-2019:4019) (Data Dribble) (Ping Flood) (Reset Flood) (Settings Flood)NessusRed Hat Local Security Checks
medium
131522RHEL 6 : JBoss EAP (RHSA-2019:4018) (Data Dribble) (Ping Flood) (Reset Flood) (Settings Flood)NessusRed Hat Local Security Checks
medium
129514Oracle Linux 8 : nodejs:10 (ELSA-2019-2925) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusOracle Linux Local Security Checks
high
129480RHEL 8 : nodejs:10 (RHSA-2019:2925) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusRed Hat Local Security Checks
high
129315F5 Networks BIG-IP : HTTP/2 Settings Flood vulnerability (K50233772) (Settings Flood)NessusF5 Networks Local Security Checks
high
128669openSUSE Security Update : nodejs8 (openSUSE-2019-2115) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusSuSE Local Security Checks
high
128668openSUSE Security Update : nodejs10 (openSUSE-2019-2114) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusSuSE Local Security Checks
high
128621Debian DSA-4520-1 : trafficserver - security update (Empty Frames Flood) (Ping Flood) (Reset Flood) (Settings Flood)NessusDebian Local Security Checks
high
128468SUSE SLES15 Security Update : nodejs8 (SUSE-SU-2019:2260-1) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusSuSE Local Security Checks
high
128467SUSE SLES15 Security Update : nodejs10 (SUSE-SU-2019:2259-1) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusSuSE Local Security Checks
high
128411SUSE SLES12 Security Update : nodejs10 (SUSE-SU-2019:2254-1) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusSuSE Local Security Checks
high
128181Debian DSA-4508-1 : h2o - security update (Ping Flood) (Reset Flood) (Settings Flood)NessusDebian Local Security Checks
high
128136FreeBSD : h2o -- multiple HTTP/2 vulnerabilities (73b1e734-c74e-11e9-8052-0028f8d09152) (Ping Flood) (Reset Flood) (Settings Flood)NessusFreeBSD Local Security Checks
high
128135FreeBSD : h2o -- multiple HTTP/2 vulnerabilities (72a5579e-c765-11e9-8052-0028f8d09152) (Ping Flood) (Reset Flood) (Settings Flood)NessusFreeBSD Local Security Checks
high
128133Fedora 29 : 1:nodejs (2019-6a2980de56) (0-Length Headers Leak) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusFedora Local Security Checks
high
128131Fedora 30 : 1:nodejs (2019-5a6a7bc12c) (0-Length Headers Leak) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusFedora Local Security Checks
high
128043FreeBSD : Node.js -- multiple vulnerabilities (c97a940b-c392-11e9-bb38-000d3ab229d6) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusFreeBSD Local Security Checks
high