CVE-2019-9512

Description

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

How to fix CVE-2019-9512

To remediate CVE-2019-9512, upgrade the affected package to a fixed version below.

• —upgrade to 10.16.3-r0 or later
• —upgrade to 1:0.0+git20161013.8b4af36+dfsg-3+deb9u1 or later
• —upgrade to 2.2.5+dfsg2-3 or later
• —upgrade to 2.2.5+dfsg2-2+deb10u1 or later
• —upgrade to 8.0.5+ds-1 or later
• —upgrade to 0.0.0-20190813141303-74dc4d7220e7 or later
• —upgrade to 0.0.0-20190813141303-74dc4d7220e7 or later
• —upgrade to 0.0.0-20190813141303-74dc4d7220e7 or later
• —upgrade to 1.11.13 or later

Is CVE-2019-9512 being exploited?

Likely — EPSS is 50.8%, placing CVE-2019-9512 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (9)

• from 0, < 10.16.3-r0
• from 0, < 1:0.0+git20161013.8b4af36+dfsg-3+deb9u1
• from 0, < 2.2.5+dfsg2-3
• from 0, < 2.2.5+dfsg2-2+deb10u1
• from 0, < 8.0.5+ds-1
• from 0, < 0.0.0-20190813141303-74dc4d7220e7
• from 0, < 0.0.0-20190813141303-74dc4d7220e7
• from 0, < 0.0.0-20190813141303-74dc4d7220e7
• from 0, < 1.11.13, >= 1.12.0-0, < 1.12.8

CVSS scores

References (78)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-9512
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-9514
• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2019-9512
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-9512
• WEB