CVE - CVE-2019-9517

CVE-ID
CVE-2019-9517	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BUGTRAQ:20190826 [SECURITY] [DSA 4509-1] apache2 security update URL:https://seclists.org/bugtraq/2019/Aug/47 CERT-VN:VU#605641 URL:https://kb.cert.org/vuls/id/605641/ CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10296 CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0003/ CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0005/ CONFIRM:https://security.netapp.com/advisory/ntap-20190905-0003/ CONFIRM:https://support.f5.com/csp/article/K02591030 CONFIRM:https://support.f5.com/csp/article/K02591030?utm_source=f5support&utm_medium=RSS CONFIRM:https://www.synology.com/security/advisory/Synology_SA_19_33 DEBIAN:DSA-4509 URL:https://www.debian.org/security/2019/dsa-4509 FEDORA:FEDORA-2019-4427fd65be URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/ FEDORA:FEDORA-2019-5a6a7bc12c URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/ FEDORA:FEDORA-2019-63ba15cc83 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/ FEDORA:FEDORA-2019-6a2980de56 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/ GENTOO:GLSA-201909-04 URL:https://security.gentoo.org/glsa/201909-04 MISC:https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md MISC:https://www.oracle.com/security-alerts/cpuapr2020.html MISC:https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html MLIST:[httpd-announce] 20190814 CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers URL:https://lists.apache.org/thread.html/4610762456644181b267c846423b3a990bd4aaea1886ecc7d51febdb@%3Cannounce.httpd.apache.org%3E MLIST:[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html URL:https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html URL:https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html URL:https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/ URL:https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20210330 svn commit: r1073139 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/json/ URL:https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html URL:https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/ URL:https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ URL:https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20210330 svn commit: r1073149 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ URL:https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20210330 svn commit: r1888194 [12/13] - /httpd/site/trunk/content/security/json/ URL:https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html URL:https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E MLIST:[httpd-dev] 20190817 CVE-2019-10097 vs. CHANGEs entry URL:https://lists.apache.org/thread.html/ec97fdfc1a859266e56fef084353a34e0a0b08901b3c1aa317a43c8c@%3Cdev.httpd.apache.org%3E MLIST:[httpd-dev] 20190817 Re: CVE-2019-10097 vs. CHANGEs entry URL:https://lists.apache.org/thread.html/d89f999e26dfb1d50f247ead1fe8538014eb412b2dbe5be4b1a9ef50@%3Cdev.httpd.apache.org%3E MLIST:[oss-security] 20190814 CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers URL:http://www.openwall.com/lists/oss-security/2019/08/15/7 REDHAT:RHSA-2019:2893 URL:https://access.redhat.com/errata/RHSA-2019:2893 REDHAT:RHSA-2019:2925 URL:https://access.redhat.com/errata/RHSA-2019:2925 REDHAT:RHSA-2019:2939 URL:https://access.redhat.com/errata/RHSA-2019:2939 REDHAT:RHSA-2019:2946 URL:https://access.redhat.com/errata/RHSA-2019:2946 REDHAT:RHSA-2019:2949 URL:https://access.redhat.com/errata/RHSA-2019:2949 REDHAT:RHSA-2019:2950 URL:https://access.redhat.com/errata/RHSA-2019:2950 REDHAT:RHSA-2019:2955 URL:https://access.redhat.com/errata/RHSA-2019:2955 REDHAT:RHSA-2019:3932 URL:https://access.redhat.com/errata/RHSA-2019:3932 REDHAT:RHSA-2019:3933 URL:https://access.redhat.com/errata/RHSA-2019:3933 REDHAT:RHSA-2019:3935 URL:https://access.redhat.com/errata/RHSA-2019:3935 SUSE:openSUSE-SU-2019:2051 URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html SUSE:openSUSE-SU-2019:2114 URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html SUSE:openSUSE-SU-2019:2115 URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html UBUNTU:USN-4113-1 URL:https://usn.ubuntu.com/4113-1/
Assigning CNA
CERT/CC
Date Record Created
20190301	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20190301)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)