CVE - CVE-2019-9515

CVE-ID
CVE-2019-9515	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BUGTRAQ:20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0 URL:https://seclists.org/bugtraq/2019/Aug/24 BUGTRAQ:20190825 [SECURITY] [DSA 4508-1] h2o security update URL:https://seclists.org/bugtraq/2019/Aug/43 BUGTRAQ:20190910 [SECURITY] [DSA 4520-1] trafficserver security update URL:https://seclists.org/bugtraq/2019/Sep/18 CERT-VN:VU#605641 URL:https://kb.cert.org/vuls/id/605641/ CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10296 CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0005/ CONFIRM:https://support.f5.com/csp/article/K50233772 CONFIRM:https://support.f5.com/csp/article/K50233772?utm_source=f5support&utm_medium=RSS CONFIRM:https://www.synology.com/security/advisory/Synology_SA_19_33 DEBIAN:DSA-4508 URL:https://www.debian.org/security/2019/dsa-4508 DEBIAN:DSA-4520 URL:https://www.debian.org/security/2019/dsa-4520 FEDORA:FEDORA-2019-5a6a7bc12c URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/ FEDORA:FEDORA-2019-6a2980de56 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/ FULLDISC:20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0 URL:http://seclists.org/fulldisclosure/2019/Aug/16 MISC:https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md MLIST:[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks URL:https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E MLIST:[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks URL:https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E MLIST:[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks URL:https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E REDHAT:RHSA-2019:2766 URL:https://access.redhat.com/errata/RHSA-2019:2766 REDHAT:RHSA-2019:2796 URL:https://access.redhat.com/errata/RHSA-2019:2796 REDHAT:RHSA-2019:2861 URL:https://access.redhat.com/errata/RHSA-2019:2861 REDHAT:RHSA-2019:2925 URL:https://access.redhat.com/errata/RHSA-2019:2925 REDHAT:RHSA-2019:2939 URL:https://access.redhat.com/errata/RHSA-2019:2939 REDHAT:RHSA-2019:2955 URL:https://access.redhat.com/errata/RHSA-2019:2955 REDHAT:RHSA-2019:3892 URL:https://access.redhat.com/errata/RHSA-2019:3892 REDHAT:RHSA-2019:4018 URL:https://access.redhat.com/errata/RHSA-2019:4018 REDHAT:RHSA-2019:4019 URL:https://access.redhat.com/errata/RHSA-2019:4019 REDHAT:RHSA-2019:4020 URL:https://access.redhat.com/errata/RHSA-2019:4020 REDHAT:RHSA-2019:4021 URL:https://access.redhat.com/errata/RHSA-2019:4021 REDHAT:RHSA-2019:4040 URL:https://access.redhat.com/errata/RHSA-2019:4040 REDHAT:RHSA-2019:4041 URL:https://access.redhat.com/errata/RHSA-2019:4041 REDHAT:RHSA-2019:4042 URL:https://access.redhat.com/errata/RHSA-2019:4042 REDHAT:RHSA-2019:4045 URL:https://access.redhat.com/errata/RHSA-2019:4045 REDHAT:RHSA-2019:4352 URL:https://access.redhat.com/errata/RHSA-2019:4352 REDHAT:RHSA-2020:0727 URL:https://access.redhat.com/errata/RHSA-2020:0727 SUSE:openSUSE-SU-2019:2114 URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html SUSE:openSUSE-SU-2019:2115 URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html UBUNTU:USN-4308-1 URL:https://usn.ubuntu.com/4308-1/
Assigning CNA
CERT/CC
Date Record Created
20190301	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20190301)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)