CVE-2019-9517

HIGH

Description

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.

References

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html

http://www.openwall.com/lists/oss-security/2019/08/15/7

https://access.redhat.com/errata/RHSA-2019:2893

https://access.redhat.com/errata/RHSA-2019:2925

https://access.redhat.com/errata/RHSA-2019:2939

https://access.redhat.com/errata/RHSA-2019:2946

https://access.redhat.com/errata/RHSA-2019:2949

https://access.redhat.com/errata/RHSA-2019:2950

https://access.redhat.com/errata/RHSA-2019:2955

https://access.redhat.com/errata/RHSA-2019:3932

https://access.redhat.com/errata/RHSA-2019:3933

https://access.redhat.com/errata/RHSA-2019:3935

https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

https://kb.cert.org/vuls/id/605641/

https://kc.mcafee.com/corporate/index?page=content&id=SB10296

https://lists.apache.org/thread.html/[email protected]%3Cannounce.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.fedoraproject.org/archives/list/[email protected]/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/

https://lists.fedoraproject.org/archives/list/[email protected]/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/

https://lists.fedoraproject.org/archives/list/[email protected]/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/

https://lists.fedoraproject.org/archives/list/[email protected]/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/

https://seclists.org/bugtraq/2019/Aug/47

https://security.gentoo.org/glsa/201909-04

https://security.netapp.com/advisory/ntap-20190823-0003/

https://security.netapp.com/advisory/ntap-20190823-0005/

https://security.netapp.com/advisory/ntap-20190905-0003/

https://support.f5.com/csp/article/K02591030

https://support.f5.com/csp/article/K02591030?utm_source=f5support&utm_medium=RSS

https://usn.ubuntu.com/4113-1/

https://www.debian.org/security/2019/dsa-4509

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

https://www.synology.com/security/advisory/Synology_SA_19_33

Details

Source: MITRE

Published: 2019-08-13

Updated: 2021-03-30

Type: CWE-770

Risk Information

CVSS v2.0

Base Score: 7.8

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

Impact Score: 6.9

Exploitability Score: 10

Severity: HIGH

CVSS v3.0

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

AND

OR

cpe:2.3:a:apple:swiftnio:*:*:*:*:*:*:*:*

OR

cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:*:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:* versions from 6.0.0 to 6.2.3 (inclusive)

cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:* versions from 7.0.0 to 7.1.6 (inclusive)

cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:* versions from 8.0.0 to 8.0.3 (inclusive)

Configuration 3

OR

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:a:synology:diskstation_manager:6.2:*:*:*:*:*:*:*

cpe:2.3:a:synology:skynas:-:*:*:*:*:*:*:*

Configuration 6

AND

OR

cpe:2.3:o:synology:vs960hd_firmware:-:*:*:*:*:*:*:*

OR

cpe:2.3:h:synology:vs960hd:-:*:*:*:*:*:*:*

Configuration 7

OR

cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

Configuration 8

OR

cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Configuration 9

OR

cpe:2.3:a:redhat:jboss_core_services:1.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Configuration 10

OR

cpe:2.3:a:oracle:communications_element_manager:8.0.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_element_manager:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*

cpe:2.3:a:oracle:graalvm:19.2.0:*:*:*:enterprise:*:*:*

cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:* versions from 17.1 to 17.3 (inclusive)

cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*

Configuration 11

OR

cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*

cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*

cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*

Configuration 12

OR

cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*

Tenable Plugins

View all (36 total)

IDNameProductFamilySeverity
145684CentOS 8 : httpd:2.4 (CESA-2019:2893)NessusCentOS Local Security Checks
high
145589CentOS 8 : nodejs:10 (CESA-2019:2925)NessusCentOS Local Security Checks
high
135160Slackware 14.0 / 14.1 / 14.2 / current : httpd (SSA:2020-091-02) (Internal Data Buffering)NessusSlackware Local Security Checks
medium
135146EulerOS Virtualization for ARM 64 3.0.6.0 : httpd (EulerOS-SA-2020-1359)NessusHuawei Local Security Checks
medium
133989EulerOS 2.0 SP8 : httpd (EulerOS-SA-2020-1155)NessusHuawei Local Security Checks
medium
133057Oracle Enterprise Manager Ops Center (Oct 2019 CPU)NessusMisc.
medium
132767SUSE SLES12 Security Update : nodejs12 (SUSE-SU-2020:0059-1) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusSuSE Local Security Checks
medium
131216RHEL 7 : JBoss Core Services (RHSA-2019:3933) (0-Length Headers Leak) (Data Dribble) (Internal Data Buffering) (Resource Loop)NessusRed Hat Local Security Checks
medium
131215RHEL 6 : JBoss Core Services (RHSA-2019:3932) (0-Length Headers Leak) (Data Dribble) (Internal Data Buffering) (Resource Loop)NessusRed Hat Local Security Checks
medium
130401Amazon Linux 2 : mod_http2 (ALAS-2019-1342) (0-Length Headers Leak) (Data Dribble) (Internal Data Buffering)NessusAmazon Linux Local Security Checks
high
130281Amazon Linux AMI : httpd24 (ALAS-2019-1311) (Internal Data Buffering)NessusAmazon Linux Local Security Checks
medium
129520RHEL 6 / 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.29 SP3 (RHSA-2019:2946) (0-Length Headers Leak) (Data Dribble) (Internal Data Buffering) (Resource Loop)NessusRed Hat Local Security Checks
high
129514Oracle Linux 8 : nodejs:10 (ELSA-2019-2925) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusOracle Linux Local Security Checks
high
129480RHEL 8 : nodejs:10 (RHSA-2019:2925) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusRed Hat Local Security Checks
high
129333RHEL 8 : httpd:2.4 (RHSA-2019:2893) (Internal Data Buffering)NessusRed Hat Local Security Checks
high
129330Oracle Linux 8 : httpd:2.4 (ELSA-2019-2893) (Internal Data Buffering)NessusOracle Linux Local Security Checks
high
128993Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : Apache HTTP Server regression (USN-4113-2) (Internal Data Buffering)NessusUbuntu Local Security Checks
medium
128669openSUSE Security Update : nodejs8 (openSUSE-2019-2115) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusSuSE Local Security Checks
high
128668openSUSE Security Update : nodejs10 (openSUSE-2019-2114) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusSuSE Local Security Checks
high
128612SUSE SLES12 Security Update : apache2 (SUSE-SU-2019:2329-1) (Internal Data Buffering)NessusSuSE Local Security Checks
medium
128593GLSA-201909-04 : Apache: Multiple vulnerabilities (Internal Data Buffering)NessusGentoo Local Security Checks
medium
128468SUSE SLES15 Security Update : nodejs8 (SUSE-SU-2019:2260-1) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusSuSE Local Security Checks
high
128467SUSE SLES15 Security Update : nodejs10 (SUSE-SU-2019:2259-1) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusSuSE Local Security Checks
high
128460openSUSE Security Update : apache2 (openSUSE-2019-2051) (Internal Data Buffering)NessusSuSE Local Security Checks
medium
128436Fedora 30 : mod_http2 (2019-63ba15cc83) (0-Length Headers Leak) (Data Dribble) (Internal Data Buffering)NessusFedora Local Security Checks
high
128412Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : Apache HTTP Server vulnerabilities (USN-4113-1) (Internal Data Buffering)NessusUbuntu Local Security Checks
medium
128411SUSE SLES12 Security Update : nodejs10 (SUSE-SU-2019:2254-1) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusSuSE Local Security Checks
high
128400Fedora 29 : mod_http2 (2019-4427fd65be) (0-Length Headers Leak) (Data Dribble) (Internal Data Buffering)NessusFedora Local Security Checks
high
128316SUSE SLED15 / SLES15 Security Update : apache2 (SUSE-SU-2019:2237-1) (Internal Data Buffering)NessusSuSE Local Security Checks
medium
128182Debian DSA-4509-1 : apache2 - security update (Internal Data Buffering)NessusDebian Local Security Checks
medium
128133Fedora 29 : 1:nodejs (2019-6a2980de56) (0-Length Headers Leak) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusFedora Local Security Checks
high
128131Fedora 30 : 1:nodejs (2019-5a6a7bc12c) (0-Length Headers Leak) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusFedora Local Security Checks
high
128043FreeBSD : Node.js -- multiple vulnerabilities (c97a940b-c392-11e9-bb38-000d3ab229d6) (0-Length Headers Leak) (Data Dribble) (Empty Frames Flood) (Internal Data Buffering) (Ping Flood) (Reset Flood) (Resource Loop) (Settings Flood)NessusFreeBSD Local Security Checks
high
98669Apache 2.4.x < 2.4.41 Multiple VulnerabilitiesWeb Application ScanningComponent Vulnerability
high
128033Apache 2.4.x < 2.4.41 Multiple VulnerabilitiesNessusWeb Servers
medium
127951FreeBSD : Apache -- Multiple vulnerabilities (caf545f2-c0d9-11e9-9051-4c72b94353b5) (Internal Data Buffering)NessusFreeBSD Local Security Checks
medium