Home > Vulnerability Database > CVE-2019-9515

Mend.io Vulnerability Database

New vulnerability? Tell us about it!

CVE-2019-9515

Good to know:

Date: August 13, 2019

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Language: Java

Severity Score

7.5

Related Resources (50)

Url: https://access.redhat.com/errata/RHSA-2019:2861

Url: https://kc.mcafee.com/corporate/index?page=content&id=SB10296

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/

Url: https://access.redhat.com/errata/RHSA-2019:4042

Url: https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2019:4045

Url: https://access.redhat.com/errata/RHSA-2019:4040

Url: https://access.redhat.com/errata/RHSA-2019:4041

Url: https://www.debian.org/security/2019/dsa-4508

Url: https://access.redhat.com/errata/RHSA-2019:2939

Url: https://access.redhat.com/errata/RHSA-2019:4018

Url: https://seclists.org/bugtraq/2019/Sep/18

Url: https://access.redhat.com/errata/RHSA-2019:4019

Url: https://nvd.nist.gov/vuln/detail/CVE-2019-9515

Url: https://seclists.org/bugtraq/2019/Aug/43

Url: https://access.redhat.com/security/cve/CVE-2019-9515

Url: https://access.redhat.com/errata/RHSA-2019:2796

Url: http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/

Url: https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E

Url: https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E

Url: https://support.f5.com/csp/article/K50233772?utm_source=f5support&%3Butm_medium=RSS

Url: https://access.redhat.com/errata/RHSA-2019:2766

Url: https://access.redhat.com/errata/RHSA-2019:3892

Url: https://support.f5.com/csp/article/K50233772

Url: https://usn.ubuntu.com/4308-1/

Url: https://security-tracker.debian.org/tracker/CVE-2019-9515

Url: https://access.redhat.com/errata/RHSA-2019:4020

Url: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

Url: https://access.redhat.com/errata/RHSA-2019:4021

Url: https://security.alpinelinux.org/vuln/CVE-2019-9515

Url: https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E

Url: http://seclists.org/fulldisclosure/2019/Aug/16

Url: https://support.f5.com/csp/article/K50233772?utm_source=f5support&utm_medium=RSS

Url: https://www.debian.org/security/2019/dsa-4520

Url: https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/

Url: http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html

Url: https://access.redhat.com/errata/RHSA-2019:2955

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2019-9515

Url: https://seclists.org/bugtraq/2019/Aug/24

Url: https://security.netapp.com/advisory/ntap-20190823-0005/

Url: https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2019:4352

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/

Url: https://access.redhat.com/errata/RHSA-2020:0727

Url: https://kb.cert.org/vuls/id/605641/

Url: https://www.synology.com/security/advisory/Synology_SA_19_33

Url: https://access.redhat.com/errata/RHSA-2019:2925

Url: https://www.mend.io/vulnerability-database/CVE-2019-9515

Severity Score

7.5

Weakness Type (CWE)

Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-400

Allocation of Resources Without Limits or Throttling

CWE-770

Top Fix

Upgrade Version

Upgrade to version 7.1.7,8.0.4

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

CVSS v2

Base Score:	7.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	COMPLETE
Additional information:

Do you need more information?

Contact Us