CVE-2019-9517 Information

Description

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses this can consume excess memory CPU or both.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Reference

http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html http://www.openwall.com/lists/oss-security/2019/08/15/7 https://access.redhat.com/errata/RHSA-2019:2893 https://access.redhat.com/errata/RHSA-2019:2925 https://access.redhat.com/errata/RHSA-2019:2939 https://access.redhat.com/errata/RHSA-2019:2946 https://access.redhat.com/errata/RHSA-2019:2949 https://access.redhat.com/errata/RHSA-2019:2950 https://access.redhat.com/errata/RHSA-2019:2955 https://access.redhat.com/errata/RHSA-2019:3932 https://access.redhat.com/errata/RHSA-2019:3933 https://access.redhat.com/errata/RHSA-2019:3935 https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md https://kb.cert.org/vuls/id/605641/ https://kc.mcafee.com/corporate/index?page=content&id=SB10296 https://lists.apache.org/thread.html/4610762456644181b267c846423b3a990bd4aaea1886ecc7d51febdb@3Cannounce.httpd.apache.org3E https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@3Ccvs.httpd.apache.org3E https://lists.apache.org/thread.html/d89f999e26dfb1d50f247ead1fe8538014eb412b2dbe5be4b1a9ef50@3Cdev.httpd.apache.org3E https://lists.apache.org/thread.html/ec97fdfc1a859266e56fef084353a34e0a0b08901b3c1aa317a43c8c@3Cdev.httpd.apache.org3E https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@3Ccvs.httpd.apache.org3E https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@3Ccvs.httpd.apache.org3E https://lists.fedoraproject.org/archives/list/[email protected]/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/ https://lists.fedoraproject.org/archives/list/[email protected]/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/ https://lists.fedoraproject.org/archives/list/[email protected]/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/ https://lists.fedoraproject.org/archives/list/[email protected]/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/ https://seclists.org/bugtraq/2019/Aug/47 https://security.gentoo.org/glsa/201909-04 https://security.netapp.com/advisory/ntap-20190823-0003/ https://security.netapp.com/advisory/ntap-20190823-0005/ https://security.netapp.com/advisory/ntap-20190905-0003/ https://support.f5.com/csp/article/K02591030 https://support.f5.com/csp/article/K02591030?utm_source=f5support&utm_medium=RSS https://usn.ubuntu.com/4113-1/ https://www.debian.org/security/2019/dsa-4509 https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html https://www.synology.com/security/advisory/Synology_SA_19_33

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

7.5