[twisted] HTTP/2 DoS Attacks: Ping, Reset, and Settings Floods

Impact

Twisted web servers that utilize the optional HTTP/2 support suffer from the following flow-control related vulnerabilities:

Ping flood: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512
Reset flood: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514
Settings flood: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515

A Twisted web server supports HTTP/2 requests if you’ve installed the http2 optional dependency set.

Workarounds

There are no workarounds.

References

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

For more information

If you have any questions or comments about this advisory:

• Open an issue in Twisted’s Trac

References

• https://github.com/twisted/twisted/security/advisories/GHSA-32gv-6cf3-wcmq
• https://github.com/twisted/twisted/commit/a40ab1ce5210f231abe7a448a54d7e88e48f2d5d
• https://github.com/advisories/GHSA-32gv-6cf3-wcmq