CVE-2019-9517

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.

Algunas implementaciones HTTP / 2 son vulnerables al almacenamiento en búfer de datos interal sin restricciones, lo que puede conducir a una denegación de servicio. El atacante abre la ventana HTTP / 2 para que el par pueda enviar sin restricciones; sin embargo, dejan la ventana TCP cerrada para que el igual no pueda escribir (muchos de) los bytes en el cable. El atacante luego envía una secuencia de solicitudes para un objeto de respuesta grande. Dependiendo de cómo los servidores ponen en cola las respuestas, esto puede consumir un exceso de memoria, CPU o ambos.

A vulnerability was found in HTTP/2. An attacker can open a HTTP/2 window so the peer can send without constraint. The TCP window remains closed so the peer cannot write the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the server's queue is setup, the responses can consume excess memory, CPU, or both, potentially leading to a denial of service. The highest threat from this vulnerability is to system availability.

*Credits: Thanks to Jonathan Looney of Netflix for reporting this vulnerability.

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-03-01 CVE Reserved
2019-08-13 CVE Published
2024-08-04 CVE Updated
2024-08-06 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (49)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2019/08/15/7	Mailing List
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md	Third Party Advisory
https://kb.cert.org/vuls/id/605641	Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10296	Third Party Advisory
https://lists.apache.org/thread.html/4610762456644181b267c846423b3a990bd4aaea1886ecc7d51febdb%40%3Cannounce.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/d89f999e26dfb1d50f247ead1fe8538014eb412b2dbe5be4b1a9ef50%40%3Cdev.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/ec97fdfc1a859266e56fef084353a34e0a0b08901b3c1aa317a43c8c%40%3Cdev.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://seclists.org/bugtraq/2019/Aug/47	Mailing List
https://security.netapp.com/advisory/ntap-20190823-0003	Third Party Advisory
https://security.netapp.com/advisory/ntap-20190823-0005	Third Party Advisory
https://security.netapp.com/advisory/ntap-20190905-0003	Third Party Advisory
https://support.f5.com/csp/article/K02591030	Third Party Advisory
https://support.f5.com/csp/article/K02591030?utm_source=f5support&amp%3Butm_medium=RSS	X_refsource_confirm
https://www.oracle.com/security-alerts/cpuapr2020.html	Third Party Advisory
https://www.synology.com/security/advisory/Synology_SA_19_33	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	2023-11-07

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2893	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2925	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2939	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2946	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2949	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2950	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2955	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3932	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3933	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3935	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD	2023-11-07
https://security.gentoo.org/glsa/201909-04	2023-11-07
https://usn.ubuntu.com/4113-1	2023-11-07
https://www.debian.org/security/2019/dsa-4509	2023-11-07
https://access.redhat.com/security/cve/CVE-2019-9517	2020-04-14
https://bugzilla.redhat.com/show_bug.cgi?id=1741868	2020-04-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apple Search vendor "Apple"	Swiftnio Search vendor "Apple" for product "Swiftnio"	>= 1.0.0 <= 1.4.0 Search vendor "Apple" for product "Swiftnio" and version " >= 1.0.0 <= 1.4.0"	-	Affected	in	Apple Search vendor "Apple"	Mac Os X Search vendor "Apple" for product "Mac Os X"	>= 10.12 Search vendor "Apple" for product "Mac Os X" and version " >= 10.12"	-	Safe
Apple Search vendor "Apple"	Swiftnio Search vendor "Apple" for product "Swiftnio"	>= 1.0.0 <= 1.4.0 Search vendor "Apple" for product "Swiftnio" and version " >= 1.0.0 <= 1.4.0"	-	Affected	in	Canonical Search vendor "Canonical"	Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"	>= 14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version " >= 14.04"	-	Safe
Synology Search vendor "Synology"	Vs960hd Firmware Search vendor "Synology" for product "Vs960hd Firmware"	-	-	Affected	in	Synology Search vendor "Synology"	Vs960hd Search vendor "Synology" for product "Vs960hd"	-	-	Safe
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				>= 2.4.20 < 2.4.40 Search vendor "Apache" for product "Http Server" and version " >= 2.4.20 < 2.4.40"		-		Affected
Apache Search vendor "Apache"		Traffic Server Search vendor "Apache" for product "Traffic Server"				>= 6.0.0 <= 6.2.3 Search vendor "Apache" for product "Traffic Server" and version " >= 6.0.0 <= 6.2.3"		-		Affected
Apache Search vendor "Apache"		Traffic Server Search vendor "Apache" for product "Traffic Server"				>= 7.0.0 <= 7.1.6 Search vendor "Apache" for product "Traffic Server" and version " >= 7.0.0 <= 7.1.6"		-		Affected
Apache Search vendor "Apache"		Traffic Server Search vendor "Apache" for product "Traffic Server"				>= 8.0.0 <= 8.0.3 Search vendor "Apache" for product "Traffic Server" and version " >= 8.0.0 <= 8.0.3"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				19.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.04"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Synology Search vendor "Synology"		Diskstation Manager Search vendor "Synology" for product "Diskstation Manager"				6.2 Search vendor "Synology" for product "Diskstation Manager" and version "6.2"		-		Affected
Synology Search vendor "Synology"		Skynas Search vendor "Synology" for product "Skynas"				-		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				29 Search vendor "Fedoraproject" for product "Fedora" and version "29"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				30 Search vendor "Fedoraproject" for product "Fedora" and version "30"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.0 Search vendor "Opensuse" for product "Leap" and version "15.0"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected
Redhat Search vendor "Redhat"		Jboss Core Services Search vendor "Redhat" for product "Jboss Core Services"				1.0 Search vendor "Redhat" for product "Jboss Core Services" and version "1.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				7.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.2.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform"				7.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.3.0"		-		Affected
Redhat Search vendor "Redhat"		Openshift Service Mesh Search vendor "Redhat" for product "Openshift Service Mesh"				1.0 Search vendor "Redhat" for product "Openshift Service Mesh" and version "1.0"		-		Affected
Redhat Search vendor "Redhat"		Quay Search vendor "Redhat" for product "Quay"				3.0.0 Search vendor "Redhat" for product "Quay" and version "3.0.0"		-		Affected
Redhat Search vendor "Redhat"		Software Collections Search vendor "Redhat" for product "Software Collections"				1.0 Search vendor "Redhat" for product "Software Collections" and version "1.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager"				8.0.0 Search vendor "Oracle" for product "Communications Element Manager" and version "8.0.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager"				8.1.0 Search vendor "Oracle" for product "Communications Element Manager" and version "8.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager"				8.1.1 Search vendor "Oracle" for product "Communications Element Manager" and version "8.1.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager"				8.2.0 Search vendor "Oracle" for product "Communications Element Manager" and version "8.2.0"		-		Affected
Oracle Search vendor "Oracle"		Graalvm Search vendor "Oracle" for product "Graalvm"				19.2.0 Search vendor "Oracle" for product "Graalvm" and version "19.2.0"		enterprise		Affected
Oracle Search vendor "Oracle"		Instantis Enterprisetrack Search vendor "Oracle" for product "Instantis Enterprisetrack"				>= 17.1 <= 17.3 Search vendor "Oracle" for product "Instantis Enterprisetrack" and version " >= 17.1 <= 17.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				7.1 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "7.1"		-		Affected
Mcafee Search vendor "Mcafee"		Web Gateway Search vendor "Mcafee" for product "Web Gateway"				>= 7.7.2.0 < 7.7.2.24 Search vendor "Mcafee" for product "Web Gateway" and version " >= 7.7.2.0 < 7.7.2.24"		-		Affected
Mcafee Search vendor "Mcafee"		Web Gateway Search vendor "Mcafee" for product "Web Gateway"				>= 7.8.2.0 < 7.8.2.13 Search vendor "Mcafee" for product "Web Gateway" and version " >= 7.8.2.0 < 7.8.2.13"		-		Affected
Mcafee Search vendor "Mcafee"		Web Gateway Search vendor "Mcafee" for product "Web Gateway"				>= 8.1.0 < 8.2.0 Search vendor "Mcafee" for product "Web Gateway" and version " >= 8.1.0 < 8.2.0"		-		Affected
Netapp Search vendor "Netapp"		Clustered Data Ontap Search vendor "Netapp" for product "Clustered Data Ontap"				-		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 8.0.0 <= 8.8.1 Search vendor "Nodejs" for product "Node.js" and version " >= 8.0.0 <= 8.8.1"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 8.9.0 < 8.16.1 Search vendor "Nodejs" for product "Node.js" and version " >= 8.9.0 < 8.16.1"		lts		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 10.0.0 <= 10.12.0 Search vendor "Nodejs" for product "Node.js" and version " >= 10.0.0 <= 10.12.0"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 10.13.0 < 10.16.3 Search vendor "Nodejs" for product "Node.js" and version " >= 10.13.0 < 10.16.3"		lts		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 12.0.0 < 12.8.1 Search vendor "Nodejs" for product "Node.js" and version " >= 12.0.0 < 12.8.1"		-		Affected