CVE-2019-9514

Name of the Vulnerable Software and Affected Versions HTTP/2 implementations (affected versions not specified) golang.org/x/net/http2 (affected versions not specified) Arista’s EOS (affected versions not specified) Arista’s CloudVision Portal (affected versions not specified) Access Points with OpenConfig interface enabled (affected versions not specified)

Description Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST STREAM frames from the peer. Depending on how the peer queues the RST STREAM frames, this can consume excess memory, CPU, or both. Servers that accept direct connections from untrusted clients could be remotely made to allocate an unlimited amount of memory, until the program crashes.

Recommendations For HTTP/2 implementations, consider disabling the HTTP/2 protocol until a patch is available. For golang.org/x/net/http2, update to a version that includes the fix for the reset flood vulnerability. For Arista’s EOS, disable TerminAttr and OpenConfig services if they are enabled. For Arista’s CloudVision Portal, restrict access to the ingest component in the CVP Backend. For Access Points with OpenConfig interface enabled, disable the OpenConfig interface unless explicitly needed. As a temporary workaround, consider limiting the total number of internal error resets emitted by default before the connection is closed. At the moment, there is no information about a newer version that contains a fix for this vulnerability.