CVE-2019-9518

Summary

CVE	CVE-2019-9518
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-08-13 21:15:00 UTC
Updated	2023-11-07 03:13:00 UTC
Description	Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.

Risk And Classification

Problem Types: CWE-770

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Traffic Server	All	All	All	All
Application	Apache	Traffic Server	All	All	All	All
Application	Apache	Traffic Server	All	All	All	All
Operating System	Apple	Mac Os X	All	All	All	All
Operating System	Apple	Mac Os X	All	All	All	All
Application	Apple	Swiftnio	All	All	All	All
Operating System	Canonical	Ubuntu Linux	All	All	All	All
Operating System	Canonical	Ubuntu Linux	All	All	All	All
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Canonical	Ubuntu Linux	18.04	All	All	All
Operating System	Canonical	Ubuntu Linux	19.04	All	All	All
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Canonical	Ubuntu Linux	18.04	All	All	All
Operating System	Canonical	Ubuntu Linux	19.04	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Fedoraproject	Fedora	29	All	All	All
Operating System	Fedoraproject	Fedora	30	All	All	All
Operating System	Fedoraproject	Fedora	29	All	All	All
Operating System	Fedoraproject	Fedora	30	All	All	All
Application	Mcafee	Web Gateway	All	All	All	All
Application	Mcafee	Web Gateway	All	All	All	All
Application	Nodejs	Node.js	All	All	All	All
Application	Nodejs	Node.js	All	All	All	All
Application	Nodejs	Node.js	All	All	All	All
Application	Nodejs	Node.js	All	All	All	All
Operating System	Opensuse	Leap	15.0	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Operating System	Opensuse	Leap	15.0	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Application	Oracle	Graalvm	19.2.0	All	All	All
Application	Oracle	Graalvm	19.2.0	All	All	All
Operating System	Redhat	Enterprise Linux	8.0	All	All	All
Operating System	Redhat	Enterprise Linux	8.0	All	All	All
Application	Redhat	Jboss Core Services	1.0	All	All	All
Application	Redhat	Jboss Core Services	1.0	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	7.2.0	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	7.3.0	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	7.2.0	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	7.3.0	All	All	All
Application	Redhat	Openshift Service Mesh	1.0	All	All	All
Application	Redhat	Openshift Service Mesh	1.0	All	All	All
Application	Redhat	Quay	3.0.0	All	All	All
Application	Redhat	Quay	3.0.0	All	All	All
Application	Redhat	Software Collections	1.0	All	All	All
Application	Redhat	Software Collections	1.0	All	All	All
Application	Synology	Diskstation Manager	6.2	All	All	All
Application	Synology	Diskstation Manager	6.2	All	All	All
Application	Synology	Skynas	-	All	All	All
Application	Synology	Skynas	-	All	All	All
Hardware	Synology	Vs960hd	-	All	All	All
Hardware	Synology	Vs960hd	-	All	All	All
Operating System	Synology	Vs960hd Firmware	-	All	All	All
Operating System	Synology	Vs960hd Firmware	-	All	All	All

References

Reference	Source	Link	Tags
support.f5.com/csp/article/K46011592	CONFIRM	support.f5.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Bugtraq: [SECURITY] [DSA 4520-1] trafficserver security update	BUGTRAQ	seclists.org	Mailing List, Third Party Advisory
[SECURITY] Fedora 29 Update: nodejs-10.16.3-1.fc29 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org	Mailing List, Third Party Advisory
support.f5.com/csp/article/K46011592	CONFIRM	support.f5.com	Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Full Disclosure: APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0	FULLDISC	seclists.org	Mailing List, Third Party Advisory
Bugtraq: APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0	BUGTRAQ	seclists.org	Mailing List, Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
McAfee Security Bulletin - Updates and product status for HTTP/2 vulnerabilities (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518, CVE-2019-3643, and CVE-2019-3644)	CONFIRM	kc.mcafee.com	Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
August 2019 Node.js Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com	Third Party Advisory
Synology Inc.	CONFIRM	www.synology.com	Third Party Advisory
Pony Mail!		lists.apache.org
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
[security-announce] openSUSE-SU-2019:2115-1: important: Security update	SUSE	lists.opensuse.org	Mailing List, Third Party Advisory
security-bulletins/2019-002.md at master · Netflix/security-bulletins · GitHub	MISC	github.com	Third Party Advisory
[SECURITY] Fedora 29 Update: nodejs-10.16.3-1.fc29 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Pony Mail!	MLIST	lists.apache.org	Issue Tracking, Third Party Advisory
[SECURITY] Fedora 30 Update: nodejs-10.16.3-1.fc30 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
myF5		support.f5.com
Pony Mail!		lists.apache.org
Debian -- Security Information -- DSA-4520-1 trafficserver	DEBIAN	www.debian.org	Third Party Advisory
[security-announce] openSUSE-SU-2019:2114-1: important: Security update	SUSE	lists.opensuse.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org	Issue Tracking, Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
[SECURITY] Fedora 30 Update: nodejs-10.16.3-1.fc30 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org	Mailing List, Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Issue Tracking, Third Party Advisory
VU#605641 - HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion	CERT-VN	kb.cert.org	Third Party Advisory, US Government Resource
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

LEGACY: Thanks to Piotr Sikora of Google for reporting this vulnerability.

Legacy QID Mappings

296079 Oracle Solaris 11.4 Support Repository Update (SRU) 15.5.0 Missing (CPUOCT2019)
500434 Alpine Linux Security Update for nodejs
504197 Alpine Linux Security Update for nodejs
940051 AlmaLinux Security Update for nodejs:10 (ALSA-2019:2925)