CVE-2019-9512

Name of the Vulnerable Software and Affected Versions HTTP/2 implementations (affected versions not specified) golang.org/x/net/http2 (affected versions not specified) Arista EOS (with TerminAttr and OpenConfig enabled) Arista CloudVision Portal (ingest component in the CVP Backend) Arista Wi-Fi software (Access Points with OpenConfig interface enabled)

Description Some HTTP/2 implementations are vulnerable to ping floods and reset floods, potentially leading to a denial of service. An attacker can send continual pings or invalid requests to an HTTP/2 peer, causing the peer to build an internal queue of responses or RST STREAM frames. This can consume excess CPU, memory, or both, potentially leading to a crash. The vulnerability can be exploited by a remote attacker, allowing them to cause a denial of service.

Recommendations For HTTP/2 implementations, consider disabling the ping flood and reset flood features until a patch is available. For golang.org/x/net/http2, restrict access to the affected package until a patch is available. For Arista EOS, disable TerminAttr and OpenConfig services until a patch is available. For Arista CloudVision Portal, restrict access to the ingest component in the CVP Backend until a patch is available. For Arista Wi-Fi software, disable the OpenConfig interface on Access Points until a patch is available. As a temporary workaround, consider restricting the amount of memory and CPU allocated to the affected services to minimize the risk of exploitation.