Description

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Remediation

References

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html

http://seclists.org/fulldisclosure/2019/Aug/16

https://access.redhat.com/errata/RHSA-2019:2766

https://access.redhat.com/errata/RHSA-2019:2796

https://access.redhat.com/errata/RHSA-2019:2861

https://access.redhat.com/errata/RHSA-2019:2925

https://access.redhat.com/errata/RHSA-2019:2939

https://access.redhat.com/errata/RHSA-2019:2955

https://access.redhat.com/errata/RHSA-2019:3892

https://access.redhat.com/errata/RHSA-2019:4018

https://access.redhat.com/errata/RHSA-2019:4019

https://access.redhat.com/errata/RHSA-2019:4020

https://access.redhat.com/errata/RHSA-2019:4021

https://access.redhat.com/errata/RHSA-2019:4040

https://access.redhat.com/errata/RHSA-2019:4041

https://access.redhat.com/errata/RHSA-2019:4042

https://access.redhat.com/errata/RHSA-2019:4045

https://access.redhat.com/errata/RHSA-2019:4352

https://access.redhat.com/errata/RHSA-2020:0727

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

https://kb.cert.org/vuls/id/605641/

https://kc.mcafee.com/corporate/index?page=content&id=SB10296

https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E

https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E

https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/

https://seclists.org/bugtraq/2019/Aug/24

https://seclists.org/bugtraq/2019/Aug/43

https://seclists.org/bugtraq/2019/Sep/18

https://security.netapp.com/advisory/ntap-20190823-0005/

https://support.f5.com/csp/article/K50233772

https://support.f5.com/csp/article/K50233772?utm_source=f5support&amp%3Butm_medium=RSS

https://usn.ubuntu.com/4308-1/

https://www.debian.org/security/2019/dsa-4508

https://www.debian.org/security/2019/dsa-4520

https://www.synology.com/security/advisory/Synology_SA_19_33

Related Vulnerabilities

CVE-2016-3674 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2020-36518 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2022-23302 Vulnerability in maven package log4j:log4j

CVE-2022-45384 Vulnerability in maven package org.jenkins-ci.plugins:reverse-proxy-auth-plugin

CVE-2018-14720 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

Severity

High

Classification

CWE-770 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Mailing List Third Party Advisory US Government Resource