CVE-2019-9516
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.
Algunas implementaciones de HTTP / 2 son vulnerables a una fuga de encabezado, lo que puede conducir a una denegación de servicio. El atacante envía una secuencia de encabezados con un nombre de encabezado de longitud 0 y un valor de encabezado de longitud 0, opcionalmente Huffman codificado en encabezados de 1 byte o más. Algunas implementaciones asignan memoria para estos encabezados y mantienen viva la asignación hasta que la sesión muere. Esto puede consumir un exceso de memoria.
A flaw was found in HTTP/2. An attacker, sending a stream of header with a 0-length header name and a 0-length header value, could cause some implementations to allocate memory for these headers and keep the allocations alive until the session dies. The can consume excess memory, potentially leading to a denial of service. The highest threat from this vulnerability is to system availability.
Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release adds the new Apache HTTP Server 2.4.37 packages that are part of the JBoss Core Services offering. This release serves as a replacement for Red Hat JBoss Core Services Pack Apache Server 2.4.29 and includes bug fixes and enhancements. Issues addressed include bypass and denial of service vulnerabilities.
*Credits:
Thanks to Jonathan Looney of Netflix for reporting this vulnerability.
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-03-01 CVE Reserved
- 2019-08-13 CVE Published
- 2024-08-04 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-770: Allocation of Resources Without Limits or Throttling
CAPEC
References (39)
| URL | Tag | Source |
|---|---|---|
| http://seclists.org/fulldisclosure/2019/Aug/16 | Mailing List |
|
| https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md | Third Party Advisory | |
| https://kb.cert.org/vuls/id/605641 | Third Party Advisory |
|
| https://kc.mcafee.com/corporate/index?page=content&id=SB10296 | Third Party Advisory | |
| https://seclists.org/bugtraq/2019/Aug/24 | Mailing List |
|
| https://seclists.org/bugtraq/2019/Aug/40 | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20190823-0002 | Third Party Advisory |
|
| https://security.netapp.com/advisory/ntap-20190823-0005 | Third Party Advisory |
|
| https://support.f5.com/csp/article/K02591030 | Third Party Advisory | |
| https://support.f5.com/csp/article/K02591030?utm_source=f5support&%3Butm_medium=RSS | X_refsource_confirm | |
| https://www.synology.com/security/advisory/Synology_SA_19_33 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apple Search vendor "Apple" | Swiftnio Search vendor "Apple" for product "Swiftnio" | >= 1.0.0 <= 1.4.0 Search vendor "Apple" for product "Swiftnio" and version " >= 1.0.0 <= 1.4.0" | - |
Affected
| in | Apple Search vendor "Apple" | Mac Os X Search vendor "Apple" for product "Mac Os X" | >= 10.12 Search vendor "Apple" for product "Mac Os X" and version " >= 10.12" | - |
Safe
|
| Apple Search vendor "Apple" | Swiftnio Search vendor "Apple" for product "Swiftnio" | >= 1.0.0 <= 1.4.0 Search vendor "Apple" for product "Swiftnio" and version " >= 1.0.0 <= 1.4.0" | - |
Affected
| in | Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | >= 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version " >= 14.04" | - |
Safe
|
| Synology Search vendor "Synology" | Vs960hd Firmware Search vendor "Synology" for product "Vs960hd Firmware" | - | - |
Affected
| in | Synology Search vendor "Synology" | Vs960hd Search vendor "Synology" for product "Vs960hd" | - | - |
Safe
|
| Apache Search vendor "Apache" | Traffic Server Search vendor "Apache" for product "Traffic Server" | >= 6.0.0 <= 6.2.3 Search vendor "Apache" for product "Traffic Server" and version " >= 6.0.0 <= 6.2.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Traffic Server Search vendor "Apache" for product "Traffic Server" | >= 7.0.0 <= 7.1.6 Search vendor "Apache" for product "Traffic Server" and version " >= 7.0.0 <= 7.1.6" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Traffic Server Search vendor "Apache" for product "Traffic Server" | >= 8.0.0 <= 8.0.3 Search vendor "Apache" for product "Traffic Server" and version " >= 8.0.0 <= 8.0.3" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 19.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.04" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 30 Search vendor "Fedoraproject" for product "Fedora" and version "30" | - |
Affected
| ||||||
| Synology Search vendor "Synology" | Diskstation Manager Search vendor "Synology" for product "Diskstation Manager" | 6.2 Search vendor "Synology" for product "Diskstation Manager" and version "6.2" | - |
Affected
| ||||||
| Synology Search vendor "Synology" | Skynas Search vendor "Synology" for product "Skynas" | - | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 29 Search vendor "Fedoraproject" for product "Fedora" and version "29" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 30 Search vendor "Fedoraproject" for product "Fedora" and version "30" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.0 Search vendor "Opensuse" for product "Leap" and version "15.0" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.1 Search vendor "Opensuse" for product "Leap" and version "15.1" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Core Services Search vendor "Redhat" for product "Jboss Core Services" | 1.0 Search vendor "Redhat" for product "Jboss Core Services" and version "1.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.2.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.3.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Service Mesh Search vendor "Redhat" for product "Openshift Service Mesh" | 1.0 Search vendor "Redhat" for product "Openshift Service Mesh" and version "1.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Quay Search vendor "Redhat" for product "Quay" | 3.0.0 Search vendor "Redhat" for product "Quay" and version "3.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Software Collections Search vendor "Redhat" for product "Software Collections" | 1.0 Search vendor "Redhat" for product "Software Collections" and version "1.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Graalvm Search vendor "Oracle" for product "Graalvm" | 19.2.0 Search vendor "Oracle" for product "Graalvm" and version "19.2.0" | enterprise |
Affected
| ||||||
| Mcafee Search vendor "Mcafee" | Web Gateway Search vendor "Mcafee" for product "Web Gateway" | >= 7.7.2.0 < 7.7.2.24 Search vendor "Mcafee" for product "Web Gateway" and version " >= 7.7.2.0 < 7.7.2.24" | - |
Affected
| ||||||
| Mcafee Search vendor "Mcafee" | Web Gateway Search vendor "Mcafee" for product "Web Gateway" | >= 7.8.2.0 < 7.8.2.13 Search vendor "Mcafee" for product "Web Gateway" and version " >= 7.8.2.0 < 7.8.2.13" | - |
Affected
| ||||||
| Mcafee Search vendor "Mcafee" | Web Gateway Search vendor "Mcafee" for product "Web Gateway" | >= 8.1.0 < 8.2.0 Search vendor "Mcafee" for product "Web Gateway" and version " >= 8.1.0 < 8.2.0" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Nginx Search vendor "F5" for product "Nginx" | >= 1.9.5 < 1.16.1 Search vendor "F5" for product "Nginx" and version " >= 1.9.5 < 1.16.1" | - |
Affected
| ||||||
| F5 Search vendor "F5" | Nginx Search vendor "F5" for product "Nginx" | >= 1.17.0 <= 1.17.2 Search vendor "F5" for product "Nginx" and version " >= 1.17.0 <= 1.17.2" | - |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 8.0.0 < 8.16.1 Search vendor "Nodejs" for product "Node.js" and version " >= 8.0.0 < 8.16.1" | lts |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 10.0.0 < 10.16.3 Search vendor "Nodejs" for product "Node.js" and version " >= 10.0.0 < 10.16.3" | lts |
Affected
| ||||||
| Nodejs Search vendor "Nodejs" | Node.js Search vendor "Nodejs" for product "Node.js" | >= 12.0.0 < 12.8.1 Search vendor "Nodejs" for product "Node.js" and version " >= 12.0.0 < 12.8.1" | - |
Affected
| ||||||