Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

None

Privileges Required

None

Attack Vector

Network

0

CVE-2019-9515

Disclosure Date: August 13, 2019 •

CVE-2019-9515 CVSS v3 Base Score: 7.5

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

3.6

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

None

Integrity (I):

None

Availability (A):

High

References

Canonical

CVE-2019-9515 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515)

Advisory

VU#605641 (https://kb.cert.org/vuls/id/605641)

[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks (https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E)

[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks (https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E)

[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks (https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E)

20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0 (https://seclists.org/bugtraq/2019/Aug/24)

20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0 (http://seclists.org/fulldisclosure/2019/Aug/16)

https://www.synology.com/security/advisory/Synology_SA_19_33

https://support.f5.com/csp/article/K50233772

https://security.netapp.com/advisory/ntap-20190823-0005

FEDORA-2019-5a6a7bc12c (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP)

FEDORA-2019-6a2980de56 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC)

20190825 [SECURITY] [DSA 4508-1] h2o security update (https://seclists.org/bugtraq/2019/Aug/43)

DSA-4508 (https://www.debian.org/security/2019/dsa-4508)

DSA-4520 (https://www.debian.org/security/2019/dsa-4520)

20190910 [SECURITY] [DSA 4520-1] trafficserver security update (https://seclists.org/bugtraq/2019/Sep/18)

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html

https://kc.mcafee.com/corporate/index?page=content&id=SB10296

https://access.redhat.com/errata/RHSA-2019:2766

https://access.redhat.com/errata/RHSA-2019:2796

https://access.redhat.com/errata/RHSA-2019:2861

https://access.redhat.com/errata/RHSA-2019:2925

https://access.redhat.com/errata/RHSA-2019:2939

https://access.redhat.com/errata/RHSA-2019:2955

https://support.f5.com/csp/article/K50233772?utm_source=f5support&utm_medium=RSS

https://access.redhat.com/errata/RHSA-2019:3892

https://access.redhat.com/errata/RHSA-2019:4018

https://access.redhat.com/errata/RHSA-2019:4019

https://access.redhat.com/errata/RHSA-2019:4021

https://access.redhat.com/errata/RHSA-2019:4020

https://access.redhat.com/errata/RHSA-2019:4045

https://access.redhat.com/errata/RHSA-2019:4042

https://access.redhat.com/errata/RHSA-2019:4040

https://access.redhat.com/errata/RHSA-2019:4041

https://access.redhat.com/errata/RHSA-2019:4352

https://access.redhat.com/errata/RHSA-2020:0727

USN-4308-1 (https://usn.ubuntu.com/4308-1)

Miscellaneous

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

Rapid7

Technical Analysis