CVE-2019-9514: Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an…

high7.5CVSS 3.1

AVNACLPRNUINSUCNINAH

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.

Affected

75 ranges· showing 25

Vendor	Product	Version range	Fixed in
apache	traffic_server	6.0.0 – 6.2.3	—
apache	traffic_server	7.0.0 – 7.1.6	—
apache	traffic_server	8.0.0 – 8.0.3	—
apple	swiftnio	1.0.0 – 1.4.0	—
apple	swiftnio_http_2	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	h2o	< h2o 2.2.5+dfsg2-3 (bookworm)	h2o 2.2.5+dfsg2-3 (bookworm)
debian	nodejs	< h2o 2.2.5+dfsg2-3 (bookworm)	h2o 2.2.5+dfsg2-3 (bookworm)
debian	rust-h2	< h2o 2.2.5+dfsg2-3 (bookworm)	h2o 2.2.5+dfsg2-3 (bookworm)
debian	trafficserver	< h2o 2.2.5+dfsg2-3 (bookworm)	h2o 2.2.5+dfsg2-3 (bookworm)
f5	big-ip_local_traffic_manager	>= 11.6.1 < 11.6.5.1	11.6.5.1
f5	big-ip_local_traffic_manager	>= 12.1.0 < 12.1.5.1	12.1.5.1
f5	big-ip_local_traffic_manager	>= 13.1.0 < 13.1.3.2	13.1.3.2
f5	big-ip_local_traffic_manager	>= 14.0.0 < 14.0.1.1	14.0.1.1
f5	big-ip_local_traffic_manager	>= 14.1.0 < 14.1.2.1	14.1.2.1
f5	big-ip_local_traffic_manager	>= 15.0.0 < 15.0.1.1	15.0.1.1
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
golang.org	x_net	>= 0 < 0.0.0-20190813141303-74dc4d7220e7	0.0.0-20190813141303-74dc4d7220e7
h2o	h2o	>= 0 < 2.2.5+dfsg2-3	2.2.5+dfsg2-3
h2o	h2o	>= 0 < 2.2.5+dfsg2-3	2.2.5+dfsg2-3

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

ghsa7.5HIGH

osv7.5HIGH