All Vulnerability Reports

CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9518, CVE-2019-9511, CVE-2019-9516, CVE-2019-9517: Some Pivotal products are impacted by HTTP/2 denial of service attacks


Severity

High

Vendor

Pivotal

Description

Some Pivotal products, through their consumption of imperfect HTTP/2 implementations, are impacted by various HTTP vulnerabilities, including Data Dribble, Ping Flood, Resource Loop, Reset Flood, Settings Flood, 0-Length Headers Leak, Internal Data Buffering, and Empty Frames Flood. A remote attacker could cause a denial of service by exploiting these weaknesses.

Affected VMware Products and Versions

Severity is high unless otherwise noted.

  • Pivotal Concourse
    • 4.2 versions prior to 4.2.5
    • 5.2 versions prior to 5.2.3
  • MySQL for Pivotal Plaform
    • All versions prior to 2.7.2
  • Pivotal Cloud Cache
    • All versions prior to 1.9.0
  • Pivotal Application Service (PAS)
    • 2.5 versions prior to 2.5.12
    • 2.6 versions prior to 2.6.7
    • 2.7 versions prior to 2.7.1
  • Pivotal Application Service (PAS) for Windows
    • 2.5 versions prior to 2.5.8
    • 2.6 versions prior to 2.6.5
    • 2.7 versions prior to 2.7.1
  • Redis for PCF
    • 2.0 versions prior to 2.0.6
    • 2.1 versions prior to 2.1.5
    • 2.2 versions prior to 2.2.2
  • Pivotal Ops Manager
    • 2.4 versions prior to 2.4.23
    • 2.5 versions prior to 2.5.20
    • 2.6 versions prior to 2.6.12
  • RabbitMQ for Pivotal Platform
    • 1.16 versions prior to 1.16.7
    • 1.17 versions prior to 1.17.4
  • Pivotal Isolation Segment
    • 2.5 versions prior to 2.5.11
    • 2.6 versions prior to 2.6.6
    • 2.7 versions prior to 2.7.1
  • On-Demand Service Broker (ODB)
    • All versions prior to v0.33.1

Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

  • Pivotal Concourse
    • 4.2.5
    • 5.2.3
  • MySQL for Pivotal Plaform
    • 2.7.2
  • Pivotal Cloud Cache
    • 1.9.0
  • Pivotal Application Service (PAS)
    • 2.5.12
    • 2.6.7
    • 2.7.1
  • Pivotal Application Service (PAS) for Windows
    • 2.5.8
    • 2.6.5
    • 2.7.1
  • Redis for PCF
    • 2.0.6
    • 2.1.5
    • 2.2.2
  • Pivotal Ops Manager
    • 2.4.23
    • 2.5.20
    • 2.6.12
  • RabbitMQ for Pivotal Platform
    • 1.16.7
    • 1.17.4
  • Pivotal Isolation Segment
    • 2.5.11
    • 2.6.6
    • 2.7.1
  • On-Demand Service Broker (ODB)
    • v0.33.1

References

History

2019-12-04: Initial vulnerability report published.