Vulnerability Details : CVE-2019-9514
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
Vulnerability category: Denial of service
Products affected by CVE-2019-9514
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:3.9:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:3.10:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_container_platform:4.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_core_services:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:single_sign-on:7.3:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:developer_tools:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:apple:swiftnio:*:*:*:*:*:*:*:*When used together with: Canonical » Ubuntu Linux
- cpe:2.3:a:oracle:graalvm:19.2.0:*:*:*:enterprise:*:*:*
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:f5:big-ip_local_traffic_manager:*:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:cloud_insights:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:trident:-:*:*:*:*:*:*:*
- cpe:2.3:a:synology:skynas:-:*:*:*:*:*:*:*
- cpe:2.3:o:synology:vs960hd_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
Threat overview for CVE-2019-9514
Top countries where our scanners detected CVE-2019-9514
Top open port discovered on systems with this issue
53
IPs affected by CVE-2019-9514 58,437
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2019-9514!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2019-9514
7.86%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 91 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-9514
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.8
|
HIGH | AV:N/AC:L/Au:N/C:N/I:N/A:C |
10.0
|
6.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
CERT/CC | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-9514
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: cret@cert.org (Secondary)
-
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-9514
-
https://security.netapp.com/advisory/ntap-20190823-0001/
August 2019 Kubernetes Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://www.debian.org/security/2020/dsa-4669
Debian -- Security Information -- DSA-4669-1 nodejsThird Party Advisory
-
https://support.f5.com/csp/article/K01988340?utm_source=f5support&%3Butm_medium=RSS
HTTP/2 Reset Flood vulnerability CVE-2019-9514
-
https://seclists.org/bugtraq/2019/Aug/43
Bugtraq: [SECURITY] [DSA 4508-1] h2o security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2939
RHSA-2019:2939 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2726
RHSA-2019:2726 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://usn.ubuntu.com/4308-1/
USN-4308-1: Twisted vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:4041
RHSA-2019:4041 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E
[ANNOUNCE] Apache Traffic Server is vulnerable to various HTTP/2 attacks-Apache Mail Archives
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html
[security-announce] openSUSE-SU-2019:2130-1: moderate: Security update fMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E
[ANNOUNCE] Apache Traffic Server is vulnerable to various HTTP/2 attacks - Pony MailMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/
[SECURITY] Fedora 29 Update: golang-1.11.13-1.fc29 - package-announce - Fedora Mailing-Lists
-
https://www.synology.com/security/advisory/Synology_SA_19_33
Synology Inc.Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/
[SECURITY] Fedora 29 Update: nodejs-10.16.3-1.fc29 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/
[SECURITY] Fedora 30 Update: nodejs-10.16.3-1.fc30 - package-announce - Fedora Mailing-Lists
-
https://access.redhat.com/errata/RHSA-2019:2966
RHSA-2019:2966 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2955
RHSA-2019:2955 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2766
RHSA-2019:2766 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:4042
RHSA-2019:4042 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2023/10/18/8
oss-security - Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations
-
https://access.redhat.com/errata/RHSA-2019:2594
RHSA-2019:2594 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2925
RHSA-2019:2925 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://support.f5.com/csp/article/K01988340
Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2682
RHSA-2019:2682 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html
[security-announce] openSUSE-SU-2019:2085-1: moderate: Security update fMailing List;Third Party Advisory
-
https://www.debian.org/security/2019/dsa-4520
Debian -- Security Information -- DSA-4520-1 trafficserverThird Party Advisory
-
https://www.debian.org/security/2019/dsa-4508
Debian -- Security Information -- DSA-4508-1 h2oThird Party Advisory
-
http://seclists.org/fulldisclosure/2019/Aug/16
Full Disclosure: APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0Mailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2020/12/msg00011.html
Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:4273
RHSA-2019:4273 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html
[security-announce] openSUSE-SU-2019:2000-1: important: Security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:4020
RHSA-2019:4020 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://seclists.org/bugtraq/2019/Sep/18
Bugtraq: [SECURITY] [DSA 4520-1] trafficserver security updateMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E
[ANNOUNCE] Apache Traffic Server is vulnerable to various HTTP/2 attacks - Pony MailMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:4040
RHSA-2019:4040 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:4018
RHSA-2019:4018 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:4269
RHSA-2019:4269 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E
[ANNOUNCE] Apache Traffic Server is vulnerable to various HTTP/2 attacks - Pony MailMailing List;Third Party Advisory
-
https://kb.cert.org/vuls/id/605641/
VU#605641 - HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustionThird Party Advisory;US Government Resource
-
https://access.redhat.com/errata/RHSA-2019:2661
RHSA-2019:2661 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2796
RHSA-2019:2796 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3245
RHSA-2019:3245 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2019/08/20/1
oss-security - [ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514Mailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2861
RHSA-2019:2861 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://security.netapp.com/advisory/ntap-20190823-0004/
August 2019 Golang Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html
[security-announce] openSUSE-SU-2019:2114-1: important: Security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2769
RHSA-2019:2769 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2690
RHSA-2019:2690 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://seclists.org/bugtraq/2019/Aug/24
Bugtraq: APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0Mailing List;Third Party Advisory
-
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
security-bulletins/2019-002.md at master · Netflix/security-bulletins · GitHubThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3906
RHSA-2019:3906 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html
[security-announce] openSUSE-SU-2019:2072-1: moderate: Security update fMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3892
RHSA-2019:3892 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3265
RHSA-2019:3265 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E
[ANNOUNCE] Apache Traffic Server is vulnerable to various HTTP/2 attacks-Apache Mail Archives
-
https://access.redhat.com/errata/RHSA-2020:0406
RHSA-2020:0406 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:4352
RHSA-2019:4352 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/
[SECURITY] Fedora 29 Update: nodejs-10.16.3-1.fc29 - package-announce - Fedora Mailing-Lists
-
https://security.netapp.com/advisory/ntap-20190823-0005/
August 2019 Node.js Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html
[security-announce] openSUSE-SU-2019:2056-1: moderate: Security update fMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/
[SECURITY] Fedora 30 Update: nodejs-10.16.3-1.fc30 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:4019
RHSA-2019:4019 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://kc.mcafee.com/corporate/index?page=content&id=SB10296
McAfee Security Bulletin - Updates and product status for HTTP/2 vulnerabilities (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/
[SECURITY] Fedora 30 Update: golang-1.12.9-1.fc30 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E
[ANNOUNCE] Apache Traffic Server is vulnerable to various HTTP/2 attacks-Apache Mail Archives
-
https://www.debian.org/security/2019/dsa-4503
Debian -- Security Information -- DSA-4503-1 golang-1.11Third Party Advisory
-
https://support.f5.com/csp/article/K01988340?utm_source=f5support&utm_medium=RSS
Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html
[security-announce] openSUSE-SU-2019:2115-1: important: Security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2020:0727
RHSA-2020:0727 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://seclists.org/bugtraq/2019/Aug/31
Bugtraq: [SECURITY] [DSA 4503-1] golang-1.11 security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3131
RHSA-2019:3131 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:4045
RHSA-2019:4045 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/
[SECURITY] Fedora 30 Update: golang-1.12.9-1.fc30 - package-announce - Fedora Mailing-Lists
-
https://access.redhat.com/errata/RHSA-2019:4021
RHSA-2019:4021 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/
[SECURITY] Fedora 29 Update: golang-1.11.13-1.fc29 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to