CVE-2019-9514
Published: 13 August 2019
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
From the Ubuntu Security Team
It was discovered that Netty incorrectly implements HTTP/2. An attacker could possibly use this issue to cause a denial of service.
Notes
Author | Note |
---|---|
sbeattie | nginx added http2 support in 1.9.5 nginx previously fixed issue for CVE-2018-16844 netty added http2 support in 4.1.0 twisted added http2 support in 16.3 trafficserver enabled http2 support by default in 7.0 |
mdeslaur | Packages built using golang need to be rebuilt once the vulnerability has been fixed. This CVE entry does not list packages that need rebuilding outside of the main repository or the Ubuntu variants with PPA overlays. |
sahnaseredini | nodejs patch is a version upgrade |
Priority
Status
Package | Release | Status |
---|---|---|
golang Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
golang-1.10 Launchpad, Ubuntu, Debian |
bionic |
Needed
|
disco |
Ignored
(end of life)
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Needs triage
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
|
golang-1.11 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
disco |
Ignored
(end of life)
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
Patches: upstream: https://github.com/golang/go/commit/e152b01a468a1c18a290bf9aec52ccea7693c7f2 |
||
golang-1.12 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
Patches: upstream: https://github.com/golang/go/commit/7139b45d1410ded14e1e131151fd8dfc435ede6c |
||
golang-1.6 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
|
golang-1.7 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
golang-1.8 Launchpad, Ubuntu, Debian |
bionic |
Needed
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
golang-1.9 Launchpad, Ubuntu, Debian |
bionic |
Needed
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
golang-google-grpc Launchpad, Ubuntu, Debian |
bionic |
Needed
|
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Needed
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Needed
|
|
kinetic |
Ignored
(end of life, was needed)
|
|
lunar |
Ignored
(end of life, was needed)
|
|
mantic |
Needed
|
|
noble |
Needed
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Needed
|
|
grpc Launchpad, Ubuntu, Debian |
bionic |
Needed
|
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Needed
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Needed
|
|
kinetic |
Ignored
(end of life, was needed)
|
|
lunar |
Ignored
(end of life, was needed)
|
|
mantic |
Needed
|
|
noble |
Needed
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Needed
|
|
h2o Launchpad, Ubuntu, Debian |
bionic |
Needs triage
|
disco |
Released
(2.2.5+dfsg2-2+deb10u1build0.19.04.1)
|
|
eoan |
Not vulnerable
(2.2.5+dfsg2-3)
|
|
focal |
Not vulnerable
(2.2.5+dfsg2-3)
|
|
groovy |
Not vulnerable
(2.2.5+dfsg2-3)
|
|
hirsute |
Not vulnerable
(2.2.5+dfsg2-3)
|
|
impish |
Not vulnerable
(2.2.5+dfsg2-3)
|
|
jammy |
Not vulnerable
(2.2.5+dfsg2-3)
|
|
kinetic |
Not vulnerable
(2.2.5+dfsg2-3)
|
|
lunar |
Not vulnerable
(2.2.5+dfsg2-3)
|
|
mantic |
Not vulnerable
(2.2.5+dfsg2-3)
|
|
noble |
Not vulnerable
(2.2.5+dfsg2-3)
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Does not exist
|
|
netty Launchpad, Ubuntu, Debian |
bionic |
Released
(1:4.1.7-4ubuntu0.1+esm1)
Available with Ubuntu Pro |
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Needed
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Needed
|
|
kinetic |
Ignored
(end of life, was needed)
|
|
lunar |
Ignored
(end of life, was needed)
|
|
mantic |
Needed
|
|
noble |
Needed
|
|
trusty |
Not vulnerable
(http2 support not implemented)
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
(http2 support not implemented)
|
|
nginx Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(fixed for CVE-2018-16844)
|
cosmic |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
disco |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
eoan |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
focal |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
groovy |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
hirsute |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
impish |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
jammy |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
kinetic |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
lunar |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
mantic |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
noble |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
trusty |
Not vulnerable
(http2 support not implemented)
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
(fixed for CVE-2018-16844)
|
|
nodejs Launchpad, Ubuntu, Debian |
bionic |
Ignored
(changes too intrusive)
|
focal |
Not vulnerable
(10.19.0~dfsg-3ubuntu1)
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Not vulnerable
(12.22.9~dfsg-1ubuntu3)
|
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
lunar |
Not vulnerable
(18.13.0+dfsg1-1ubuntu2)
|
|
mantic |
Not vulnerable
(18.13.0+dfsg1-1ubuntu2)
|
|
noble |
Not vulnerable
(18.13.0+dfsg1-1ubuntu2)
|
|
trusty |
Ignored
(changes too intrusive)
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
(changes too intrusive)
|
|
trafficserver Launchpad, Ubuntu, Debian |
bionic |
Needed
|
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Not vulnerable
(8.0.5+ds-1)
|
|
focal |
Not vulnerable
(8.0.5+ds-1)
|
|
groovy |
Not vulnerable
(8.0.5+ds-1)
|
|
hirsute |
Not vulnerable
(8.0.5+ds-1)
|
|
impish |
Not vulnerable
(8.0.5+ds-1)
|
|
jammy |
Not vulnerable
(8.0.5+ds-1)
|
|
kinetic |
Not vulnerable
(8.0.5+ds-1)
|
|
lunar |
Not vulnerable
(8.0.5+ds-1)
|
|
mantic |
Not vulnerable
(8.0.5+ds-1)
|
|
noble |
Not vulnerable
(8.0.5+ds-1)
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
xenial |
Needs triage
|
|
twisted Launchpad, Ubuntu, Debian |
bionic |
Released
(17.9.0-2ubuntu0.1)
|
cosmic |
Ignored
(end of life)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Released
(18.9.0-3ubuntu1.1)
|
|
focal |
Released
(18.9.0-6ubuntu1)
|
|
groovy |
Released
(18.9.0-6ubuntu1)
|
|
hirsute |
Released
(18.9.0-6ubuntu1)
|
|
impish |
Released
(18.9.0-6ubuntu1)
|
|
jammy |
Released
(18.9.0-6ubuntu1)
|
|
kinetic |
Released
(18.9.0-6ubuntu1)
|
|
lunar |
Released
(18.9.0-6ubuntu1)
|
|
mantic |
Released
(18.9.0-6ubuntu1)
|
|
noble |
Released
(18.9.0-6ubuntu1)
|
|
trusty |
Not vulnerable
(http2 support not implemented)
|
|
upstream |
Released
(19.10.0)
|
|
xenial |
Not vulnerable
(http2 support not implemented)
|
|
Patches: upstream: https://github.com/twisted/twisted/commit/1595d9adc21c580065d1d6036c9611c411990816 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
- https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
- https://netty.io/news/2019/08/13/4-1-39-Final.html
- http://blog.kazuhooku.com/2019/08/h2o-version-226-230-beta2-released.html
- https://github.com/netty/netty/pull/9460
- https://labs.twistedmatrix.com/2019/11/twisted-19100-released.html
- https://ubuntu.com/security/notices/USN-4308-1
- https://ubuntu.com/security/notices/USN-4866-1
- https://github.com/nodejs/node/pull/29133
- https://github.com/nodejs/node/pull/29148
- https://github.com/nodejs/node/pull/29152
- https://www.cve.org/CVERecord?id=CVE-2019-9514
- NVD
- Launchpad
- Debian