CVE-2019-9516

Summary

CVE	CVE-2019-9516
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-08-13 21:15:00 UTC
Updated	2023-11-07 03:13:00 UTC
Description	Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.

Risk And Classification

Problem Types: CWE-770

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Traffic Server	All	All	All	All
Application	Apache	Traffic Server	All	All	All	All
Application	Apache	Traffic Server	All	All	All	All
Operating System	Apple	Mac Os X	All	All	All	All
Operating System	Apple	Mac Os X	All	All	All	All
Application	Apple	Swiftnio	All	All	All	All
Operating System	Canonical	Ubuntu Linux	All	All	All	All
Operating System	Canonical	Ubuntu Linux	All	All	All	All
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Canonical	Ubuntu Linux	18.04	All	All	All
Operating System	Canonical	Ubuntu Linux	19.04	All	All	All
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Canonical	Ubuntu Linux	18.04	All	All	All
Operating System	Canonical	Ubuntu Linux	19.04	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	F5	Nginx	All	All	All	All
Application	F5	Nginx	All	All	All	All
Operating System	Fedoraproject	Fedora	29	All	All	All
Operating System	Fedoraproject	Fedora	30	All	All	All
Operating System	Fedoraproject	Fedora	32	All	All	All
Operating System	Fedoraproject	Fedora	29	All	All	All
Operating System	Fedoraproject	Fedora	30	All	All	All
Operating System	Fedoraproject	Fedora	32	All	All	All
Application	Mcafee	Web Gateway	All	All	All	All
Application	Mcafee	Web Gateway	All	All	All	All
Application	Nginx	Nginx	All	All	All	All
Application	Nginx	Nginx	All	All	All	All
Application	Nginx	Nginx	All	All	All	All
Application	Nodejs	Node.js	All	All	All	All
Application	Nodejs	Node.js	All	All	All	All
Operating System	Opensuse	Leap	15.0	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Operating System	Opensuse	Leap	15.0	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Application	Oracle	Graalvm	19.2.0	All	All	All
Application	Oracle	Graalvm	19.2.0	All	All	All
Operating System	Redhat	Enterprise Linux	8.0	All	All	All
Operating System	Redhat	Enterprise Linux	8.0	All	All	All
Application	Redhat	Jboss Core Services	1.0	All	All	All
Application	Redhat	Jboss Core Services	1.0	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	7.2.0	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	7.3.0	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	7.2.0	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	7.3.0	All	All	All
Application	Redhat	Openshift Service Mesh	1.0	All	All	All
Application	Redhat	Openshift Service Mesh	1.0	All	All	All
Application	Redhat	Quay	3.0.0	All	All	All
Application	Redhat	Quay	3.0.0	All	All	All
Application	Redhat	Software Collections	1.0	All	All	All
Application	Redhat	Software Collections	1.0	All	All	All
Application	Synology	Diskstation Manager	6.2	All	All	All
Application	Synology	Diskstation Manager	6.2	All	All	All
Application	Synology	Skynas	-	All	All	All
Application	Synology	Skynas	-	All	All	All
Hardware	Synology	Vs960hd	-	All	All	All
Hardware	Synology	Vs960hd	-	All	All	All
Operating System	Synology	Vs960hd Firmware	-	All	All	All
Operating System	Synology	Vs960hd Firmware	-	All	All	All

References

Reference	Source	Link	Tags
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
myF5		support.f5.com
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
[SECURITY] Fedora 29 Update: mod_http2-1.15.3-2.fc29 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 29 Update: nodejs-10.16.3-1.fc29 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org	Mailing List, Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
[SECURITY] Fedora 30 Update: mod_http2-1.15.3-2.fc30 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org	Mailing List, Third Party Advisory
support.f5.com/csp/article/K02591030	CONFIRM	support.f5.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Full Disclosure: APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0	FULLDISC	seclists.org	Mailing List, Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Bugtraq: APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0	BUGTRAQ	seclists.org	Mailing List, Third Party Advisory
McAfee Security Bulletin - Updates and product status for HTTP/2 vulnerabilities (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518, CVE-2019-3643, and CVE-2019-3644)	CONFIRM	kc.mcafee.com	Third Party Advisory
USN-4099-1: nginx vulnerabilities \| Ubuntu security notices \| Ubuntu	UBUNTU	usn.ubuntu.com	Third Party Advisory
[SECURITY] Fedora 30 Update: mod_http2-1.15.3-2.fc30 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[security-announce] openSUSE-SU-2019:2120-1: important: Security update	SUSE	lists.opensuse.org	Mailing List, Third Party Advisory
[SECURITY] Fedora 29 Update: nginx-1.16.1-1.fc29 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org	Mailing List, Third Party Advisory
August 2019 Node.js Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
[SECURITY] Fedora 32 Update: nodejs-12.20.1-1.fc32 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Synology Inc.	CONFIRM	www.synology.com	Third Party Advisory
[SECURITY] Fedora 30 Update: nginx-1.16.1-1.fc30 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org	Third Party Advisory
[SECURITY] Fedora 29 Update: mod_http2-1.15.3-2.fc29 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org	Mailing List, Third Party Advisory
[SECURITY] Fedora 30 Update: nginx-1.16.1-1.fc30 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
August 2019 NGINX Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com	Third Party Advisory
[security-announce] openSUSE-SU-2019:2115-1: important: Security update	SUSE	lists.opensuse.org	Mailing List, Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
security-bulletins/2019-002.md at master · Netflix/security-bulletins · GitHub	MISC	github.com	Third Party Advisory
[SECURITY] Fedora 29 Update: nodejs-10.16.3-1.fc29 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 30 Update: nodejs-10.16.3-1.fc30 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
[security-announce] openSUSE-SU-2019:2264-1: moderate: Security update f	SUSE	lists.opensuse.org	Mailing List, Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Debian -- Security Information -- DSA-4505-1 nginx	DEBIAN	www.debian.org	Third Party Advisory
[security-announce] openSUSE-SU-2019:2114-1: important: Security update	SUSE	lists.opensuse.org	Mailing List, Third Party Advisory
support.f5.com/csp/article/K02591030	CONFIRM	support.f5.com	Third Party Advisory
Bugtraq: [SECURITY] [DSA 4505-1] nginx security update	BUGTRAQ	seclists.org	Mailing List, Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
[SECURITY] Fedora 30 Update: nodejs-10.16.3-1.fc30 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org	Mailing List, Third Party Advisory
[SECURITY] Fedora 29 Update: nginx-1.16.1-1.fc29 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 32 Update: nodejs-12.20.1-1.fc32 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org	Mailing List, Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
VU#605641 - HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion	CERT-VN	kb.cert.org	Third Party Advisory, US Government Resource
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Thanks to Jonathan Looney of Netflix for reporting this vulnerability.

Legacy QID Mappings

296079 Oracle Solaris 11.4 Support Repository Update (SRU) 15.5.0 Missing (CPUOCT2019)
377103 Alibaba Cloud Linux Security Update for nginx:1.20 (ALINUX3-SA-2022:0016)
377378 Alibaba Cloud Linux Security Update for httpd:2.4 (ALINUX3-SA-2022:0017)
500427 Alpine Linux Security Update for nginx
500434 Alpine Linux Security Update for nodejs
504186 Alpine Linux Security Update for nginx
504197 Alpine Linux Security Update for nodejs
900026 CBL-Mariner Linux Security Update for nginx 1.16.1
902950 Common Base Linux Mariner (CBL-Mariner) Security Update for nginx (3590)
940051 AlmaLinux Security Update for nodejs:10 (ALSA-2019:2925)
940134 AlmaLinux Security Update for nginx:1.14 (ALSA-2019:2799)
960386 Rocky Linux Security Update for nodejs:10 (RLSA-2019:2925)
960857 Rocky Linux Security Update for nginx:1.14 (RLSA-2019:2799)