CVE-2019-9515

Name of the Vulnerable Software and Affected Versions Apache Traffic Server versions (affected versions not specified) H2O versions (affected versions not specified) Node.js versions (affected versions not specified) SwiftNIO versions (affected versions not specified) Arista EOS versions (affected versions not specified) Arista CloudVision Portal versions (affected versions not specified) Arista Wi-Fi software versions (affected versions not specified) Ubuntu Linux versions (affected versions not specified) Debian Linux versions (affected versions not specified) F5 BIG-IP Local Traffic Manager versions (affected versions not specified) Fedora versions (affected versions not specified) McAfee Web Gateway versions (affected versions not specified) OpenSUSE Leap versions (affected versions not specified) Oracle GraalVM versions (affected versions not specified) Red Hat Enterprise Linux versions (affected versions not specified) Red Hat JBoss Core Services versions (affected versions not specified) Red Hat JBoss Enterprise Application Platform versions (affected versions not specified) Red Hat OpenShift Container Platform versions (affected versions not specified) Red Hat OpenShift Service Mesh versions (affected versions not specified) Red Hat OpenStack versions (affected versions not specified) Red Hat Quay versions (affected versions not specified) Red Hat Single Sign-On versions (affected versions not specified) Red Hat Software Collections versions (affected versions not specified) Synology DiskStation Manager versions (affected versions not specified) Synology SkyNAS versions (affected versions not specified) Synology VS960HD Firmware versions (affected versions not specified)

Description The issue is related to errors in the resource consumption control mechanism of the HTTP/2 protocol implementation in various software products. An attacker can exploit this by sending a stream of SETTINGS frames, potentially leading to a denial of service due to excessive CPU or memory consumption. The vulnerability can be exploited by continually sending data, causing affected components to consume large amounts of memory and potentially leading to an out-of-memory condition.

Recommendations For Apache Traffic Server, consider disabling the HTTP/2 protocol until a patch is available. For H2O, restrict access to the HTTP/2 implementation to minimize the risk of exploitation. For Node.js, avoid using the HTTP/2 protocol in affected versions until the issue is resolved. For SwiftNIO, consider disabling the HTTP/2 protocol until a patch is available. For Arista EOS, disable TerminAttr and OpenConfig services if they are not necessary. For Arista CloudVision Portal, restrict access to the ingest component in the CVP Backend. For Arista Wi-Fi software, disable the OpenConfig interface on Access Points unless explicitly needed. For all other affected products, at the moment, there is no information about a newer version that contains a fix for this vulnerability.