CVE-2019-9518

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation without Limits17 documents11 sources

Severity

7.5HIGH

EPSS

3.6%

top 12.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Mcafee WEB Gateway Nodejs Node.js Apache Traffic Server +13 more

Timeline

PublishedAug 13

Latest updateMay 24

Description

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages14 packages

▶NVDredhat/jboss_core_services1.0

▶NVDredhat/openshift_service_mesh1.0

▶NVDnodejs/node.js8.9.0 — 8.16.1+4

▶NVDmcafee/web_gateway7.7.2.0 — 7.7.2.24+2

▶Ubuntunetty< 1:4.1.7-4ubuntu0.1+esm1

Also affects: Debian Linux 10.0, 9.0, Fedora 29, 30, Ubuntu Linux 16.04, 18.04, 19.04, Enterprise Linux 8.0

🔴Vulnerability Details

GHSA

GHSA-93p3-5r25-4p75: Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service↗2022-05-24

▶

OSV

netty vulnerabilities↗2021-06-29

▶

OSV

CVE-2019-9518: Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service↗2019-08-13

▶

CVEList

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service↗2019-08-13

▶

📋Vendor Advisories

Ubuntu

Netty vulnerabilities↗2021-06-29

▶

Microsoft

HTTP/2 Server Denial of Service Vulnerability↗2019-08-13

▶

Apple

CVE-2019-9518: SwiftNIO HTTP/2 1.5.0↗2019-08-13

▶

Red Hat

HTTP/2: flood using empty frames results in excessive resource consumption↗2019-08-13

▶

Debian

CVE-2019-9518: trafficserver - Some HTTP/2 implementations are vulnerable to a flood of empty frames, potential...↗2019

▶

💬Community

Bugzilla

CVE-2019-9518 undertow: HTTP/2: flood using empty frames results in excessive resource consumption [fedora-all]↗2019-09-03

▶

Bugzilla

CVE-2019-9518 nodejs: HTTP/2: flood using empty frames results in excessive resources consumption [fedora-all]↗2019-08-16

▶

Bugzilla

CVE-2019-9518 nginx: HTTP/2: flood using empty frames results in excessive resource consumption [epel-all]↗2019-08-16

▶

Bugzilla

CVE-2019-9518 nodejs: HTTP/2: flood using empty frames results in excessive resource consumption [epel-all]↗2019-08-16

▶

Bugzilla

CVE-2019-9518 nginx: HTTP/2: flood using empty frames results in excessive resource consumption [fedora-all]↗2019-08-16

▶