Description
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
Remediation
References
https://kb.cert.org/vuls/id/605641/
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://seclists.org/bugtraq/2019/Aug/24
http://seclists.org/fulldisclosure/2019/Aug/16
https://www.synology.com/security/advisory/Synology_SA_19_33
https://support.f5.com/csp/article/K50233772
https://security.netapp.com/advisory/ntap-20190823-0005/
https://seclists.org/bugtraq/2019/Aug/43
https://www.debian.org/security/2019/dsa-4508
https://www.debian.org/security/2019/dsa-4520
https://seclists.org/bugtraq/2019/Sep/18
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html
https://kc.mcafee.com/corporate/index?page=content&id=SB10296
https://access.redhat.com/errata/RHSA-2019:2766
https://access.redhat.com/errata/RHSA-2019:2796
https://access.redhat.com/errata/RHSA-2019:2861
https://access.redhat.com/errata/RHSA-2019:2925
https://access.redhat.com/errata/RHSA-2019:2939
https://access.redhat.com/errata/RHSA-2019:2955
https://access.redhat.com/errata/RHSA-2019:3892
https://access.redhat.com/errata/RHSA-2019:4018
https://access.redhat.com/errata/RHSA-2019:4019
https://access.redhat.com/errata/RHSA-2019:4021
https://access.redhat.com/errata/RHSA-2019:4020
https://access.redhat.com/errata/RHSA-2019:4041
https://access.redhat.com/errata/RHSA-2019:4040
https://access.redhat.com/errata/RHSA-2019:4042
https://access.redhat.com/errata/RHSA-2019:4045
https://access.redhat.com/errata/RHSA-2019:4352
https://access.redhat.com/errata/RHSA-2020:0727
https://usn.ubuntu.com/4308-1/
https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E
https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E
https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/
https://support.f5.com/csp/article/K50233772?utm_source=f5support&%3Butm_medium=RSS
Related Vulnerabilities
CVE-2016-5007 Vulnerability in maven package org.springframework.security:spring-security-config
CVE-2022-39202 Vulnerability in npm package matrix-appservice-irc
CVE-2023-47324 Vulnerability in maven package org.silverpeas.core:silverpeas-core-rs
CVE-2020-36379 Vulnerability in npm package aaptjs
CVE-2019-18798 Vulnerability in maven package org.webjars.npm:node-sass