CVE - CVE-2019-9518

CVE-ID
CVE-2019-9518	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BUGTRAQ:20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0 URL:https://seclists.org/bugtraq/2019/Aug/24 BUGTRAQ:20190910 [SECURITY] [DSA 4520-1] trafficserver security update URL:https://seclists.org/bugtraq/2019/Sep/18 CERT-VN:VU#605641 URL:https://kb.cert.org/vuls/id/605641/ CONFIRM:https://kc.mcafee.com/corporate/index?page=content&id=SB10296 CONFIRM:https://security.netapp.com/advisory/ntap-20190823-0005/ CONFIRM:https://support.f5.com/csp/article/K46011592 CONFIRM:https://support.f5.com/csp/article/K46011592?utm_source=f5support&utm_medium=RSS CONFIRM:https://www.synology.com/security/advisory/Synology_SA_19_33 DEBIAN:DSA-4520 URL:https://www.debian.org/security/2019/dsa-4520 FEDORA:FEDORA-2019-5a6a7bc12c URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/ FEDORA:FEDORA-2019-6a2980de56 URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/ FULLDISC:20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0 URL:http://seclists.org/fulldisclosure/2019/Aug/16 MISC:https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md MLIST:[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty URL:https://lists.apache.org/thread.html/r99a625fb17032646d96cd23dec49603ff630e9318e44a686d63046bc@%3Ccommits.cassandra.apache.org%3E MLIST:[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty URL:https://lists.apache.org/thread.html/rd31230d01fa6aad18bdadc0720acd1747e53690bd35f73a48e7a9b75@%3Ccommits.cassandra.apache.org%3E MLIST:[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities URL:https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E MLIST:[trafficserver-announce] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames URL:https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d@%3Cannounce.trafficserver.apache.org%3E MLIST:[trafficserver-dev] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames URL:https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107@%3Cdev.trafficserver.apache.org%3E MLIST:[trafficserver-users] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames URL:https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61@%3Cusers.trafficserver.apache.org%3E REDHAT:RHSA-2019:2925 URL:https://access.redhat.com/errata/RHSA-2019:2925 REDHAT:RHSA-2019:2939 URL:https://access.redhat.com/errata/RHSA-2019:2939 REDHAT:RHSA-2019:2955 URL:https://access.redhat.com/errata/RHSA-2019:2955 REDHAT:RHSA-2019:3892 URL:https://access.redhat.com/errata/RHSA-2019:3892 REDHAT:RHSA-2019:4352 URL:https://access.redhat.com/errata/RHSA-2019:4352 REDHAT:RHSA-2020:0727 URL:https://access.redhat.com/errata/RHSA-2020:0727 SUSE:openSUSE-SU-2019:2114 URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html SUSE:openSUSE-SU-2019:2115 URL:http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html
Assigning CNA
CERT/CC
Date Record Created
20190301	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20190301)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is a record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)