CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9518, CVE-2019-9511, CVE-2019-9516, CVE-2019-9517: Some Pivotal products are impacted by HTTP/2 denial of service attacks
23818
04 December 2019
04 December 2019
CLOSED
HIGH
CVE-2019-9511,CVE-2019-9512,CVE-2019-9513,CVE-2019-9514,CVE-2019-9515,CVE-2019-9516,CVE-2019-9517,CVE-2019-9518
Severity
High
Vendor
Pivotal
Description
Some Pivotal products, through their consumption of imperfect HTTP/2 implementations, are impacted by various HTTP vulnerabilities, including Data Dribble, Ping Flood, Resource Loop, Reset Flood, Settings Flood, 0-Length Headers Leak, Internal Data Buffering, and Empty Frames Flood. A remote attacker could cause a denial of service by exploiting these weaknesses.Affected VMware Products and Versions
Severity is high unless otherwise noted.
- Pivotal Concourse
- 4.2 versions prior to 4.2.5
- 5.2 versions prior to 5.2.3
- MySQL for Pivotal Plaform
- All versions prior to 2.7.2
- Pivotal Cloud Cache
- All versions prior to 1.9.0
- Pivotal Application Service (PAS)
- 2.5 versions prior to 2.5.12
- 2.6 versions prior to 2.6.7
- 2.7 versions prior to 2.7.1
- Pivotal Application Service (PAS) for Windows
- 2.5 versions prior to 2.5.8
- 2.6 versions prior to 2.6.5
- 2.7 versions prior to 2.7.1
- Redis for PCF
- 2.0 versions prior to 2.0.6
- 2.1 versions prior to 2.1.5
- 2.2 versions prior to 2.2.2
- Pivotal Ops Manager
- 2.4 versions prior to 2.4.23
- 2.5 versions prior to 2.5.20
- 2.6 versions prior to 2.6.12
- RabbitMQ for Pivotal Platform
- 1.16 versions prior to 1.16.7
- 1.17 versions prior to 1.17.4
- Pivotal Isolation Segment
- 2.5 versions prior to 2.5.11
- 2.6 versions prior to 2.6.6
- 2.7 versions prior to 2.7.1
- On-Demand Service Broker (ODB)
- All versions prior to v0.33.1
Mitigation
- Pivotal Concourse
- 4.2.5
- 5.2.3
- MySQL for Pivotal Plaform
- 2.7.2
- Pivotal Cloud Cache
- 1.9.0
- Pivotal Application Service (PAS)
- 2.5.12
- 2.6.7
- 2.7.1
- Pivotal Application Service (PAS) for Windows
- 2.5.8
- 2.6.5
- 2.7.1
- Redis for PCF
- 2.0.6
- 2.1.5
- 2.2.2
- Pivotal Ops Manager
- 2.4.23
- 2.5.20
- 2.6.12
- RabbitMQ for Pivotal Platform
- 1.16.7
- 1.17.4
- Pivotal Isolation Segment
- 2.5.11
- 2.6.6
- 2.7.1
- On-Demand Service Broker (ODB)
- v0.33.1
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9517
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518
- https://www.cloudfoundry.org/blog/various-http2-cves/
History
2019-12-04: Initial vulnerability report published.