Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-9515

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Published

2019-08-13T21:15:12.520

Last Modified

2025-01-14T19:29:55.853

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: COMPLETE

Exploitability Score

10.0

Impact Score

6.9

Weaknesses

Type: Secondary
CWE-400
Type: Primary
CWE-770

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apple	swiftnio	≤ 1.4.0	Yes
Operating System	apple	mac_os_x	≥ 10.12	No
Operating System	canonical	ubuntu_linux	≥ 14.04	No
Application	apache	traffic_server	≤ 6.2.3	Yes
Application	apache	traffic_server	≤ 7.1.6	Yes
Application	apache	traffic_server	≤ 8.0.3	Yes
Operating System	canonical	ubuntu_linux	16.04	Yes
Operating System	canonical	ubuntu_linux	18.04	Yes
Operating System	canonical	ubuntu_linux	19.04	Yes
Operating System	debian	debian_linux	9.0	Yes
Operating System	debian	debian_linux	10.0	Yes
Application	synology	skynas	-	Yes
Operating System	synology	diskstation_manager	6.2	Yes
Operating System	synology	vs960hd_firmware	-	Yes
Hardware	synology	vs960hd	-	No
Operating System	fedoraproject	fedora	29	Yes
Operating System	fedoraproject	fedora	30	Yes
Operating System	opensuse	leap	15.0	Yes
Operating System	opensuse	leap	15.1	Yes
Application	redhat	jboss_core_services	1.0	Yes
Application	redhat	jboss_enterprise_application_platform	7.2.0	Yes
Application	redhat	jboss_enterprise_application_platform	7.3.0	Yes
Application	redhat	openshift_container_platform	4.1	Yes
Application	redhat	openshift_service_mesh	1.0	Yes
Application	redhat	openstack	14	Yes
Application	redhat	quay	3.0.0	Yes
Application	redhat	single_sign-on	7.3	Yes
Application	redhat	software_collections	1.0	Yes
Operating System	redhat	enterprise_linux	8.0	Yes
Application	oracle	graalvm	19.2.0	Yes
Application	mcafee	web_gateway	< 7.7.2.24	Yes
Application	mcafee	web_gateway	< 7.8.2.13	Yes
Application	mcafee	web_gateway	< 8.2.0	Yes
Application	f5	big-ip_local_traffic_manager	< 11.6.5.1	Yes
Application	f5	big-ip_local_traffic_manager	< 12.1.5.1	Yes
Application	f5	big-ip_local_traffic_manager	< 13.1.3.2	Yes
Application	f5	big-ip_local_traffic_manager	< 14.0.1.1	Yes
Application	f5	big-ip_local_traffic_manager	< 14.1.2.1	Yes
Application	f5	big-ip_local_traffic_manager	< 15.0.1.1	Yes
Application	nodejs	node.js	≤ 8.8.1	Yes
Application	nodejs	node.js	< 8.16.1	Yes
Application	nodejs	node.js	≤ 10.12.0	Yes
Application	nodejs	node.js	< 10.16.3	Yes
Application	nodejs	node.js	< 12.8.1	Yes

References

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html Mailing List, Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html Mailing List, Third Party Advisory ([email protected])
http://seclists.org/fulldisclosure/2019/Aug/16 Mailing List, Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2766 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2796 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2861 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2925 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2939 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:2955 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:3892 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:4018 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:4019 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:4020 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:4021 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:4040 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:4041 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:4042 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:4045 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2019:4352 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2020:0727 Third Party Advisory ([email protected])
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md Third Party Advisory ([email protected])
https://kb.cert.org/vuls/id/605641/ Third Party Advisory, US Government Resource ([email protected])
https://kc.mcafee.com/corporate/index?page=content&id=SB10296 Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/ ([email protected])
https://seclists.org/bugtraq/2019/Aug/24 Mailing List, Third Party Advisory ([email protected])
https://seclists.org/bugtraq/2019/Aug/43 Mailing List, Third Party Advisory ([email protected])
https://seclists.org/bugtraq/2019/Sep/18 Mailing List, Third Party Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20190823-0005/ Third Party Advisory ([email protected])
https://support.f5.com/csp/article/K50233772 Third Party Advisory ([email protected])
https://support.f5.com/csp/article/K50233772?utm_source=f5support&amp%3Butm_medium=RSS ([email protected])
https://usn.ubuntu.com/4308-1/ Third Party Advisory ([email protected])
https://www.debian.org/security/2019/dsa-4508 Third Party Advisory ([email protected])
https://www.debian.org/security/2019/dsa-4520 Third Party Advisory ([email protected])
https://www.synology.com/security/advisory/Synology_SA_19_33 Third Party Advisory ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://seclists.org/fulldisclosure/2019/Aug/16 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2766 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2796 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2861 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2925 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2939 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2955 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:3892 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:4018 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:4019 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:4020 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:4021 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:4040 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:4041 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:4042 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:4045 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:4352 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2020:0727 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://kb.cert.org/vuls/id/605641/ Third Party Advisory, US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
https://kc.mcafee.com/corporate/index?page=content&id=SB10296 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/ (af854a3a-2127-422b-91ae-364da2661108)
https://seclists.org/bugtraq/2019/Aug/24 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://seclists.org/bugtraq/2019/Aug/43 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://seclists.org/bugtraq/2019/Sep/18 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20190823-0005/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.f5.com/csp/article/K50233772 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://support.f5.com/csp/article/K50233772?utm_source=f5support&amp%3Butm_medium=RSS (af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/4308-1/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2019/dsa-4508 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2019/dsa-4520 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.synology.com/security/advisory/Synology_SA_19_33 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)