Vulnerability Details : CVE-2019-9517
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
Vulnerability category: Denial of service
Products affected by CVE-2019-9517
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_core_services:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
- cpe:2.3:a:apple:swiftnio:*:*:*:*:*:*:*:*When used together with: Canonical » Ubuntu Linux
- cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*
- Oracle » Instantis EnterprisetrackVersions from including (>=) 17.1 and up to, including, (<=) 17.3cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:graalvm:19.2.0:*:*:*:enterprise:*:*:*
- cpe:2.3:a:oracle:communications_element_manager:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_element_manager:8.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_element_manager:8.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:communications_element_manager:8.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*
- cpe:2.3:a:synology:skynas:-:*:*:*:*:*:*:*
- cpe:2.3:o:synology:vs960hd_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
- cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Threat overview for CVE-2019-9517
Top countries where our scanners detected CVE-2019-9517
Top open port discovered on systems with this issue
80
IPs affected by CVE-2019-9517 2,004,341
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2019-9517!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2019-9517
4.56%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 88 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-9517
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.8
|
HIGH | AV:N/AC:L/Au:N/C:N/I:N/A:C |
10.0
|
6.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
CERT/CC | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-9517
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: cret@cert.org (Secondary)
-
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-9517
-
https://usn.ubuntu.com/4113-1/
USN-4113-1: Apache HTTP Server vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/
[SECURITY] Fedora 29 Update: mod_http2-1.15.3-2.fc29 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/
[SECURITY] Fedora 29 Update: mod_http2-1.15.3-2.fc29 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://seclists.org/bugtraq/2019/Aug/47
Bugtraq: [SECURITY] [DSA 4509-1] apache2 security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2939
RHSA-2019:2939 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html
[security-announce] openSUSE-SU-2019:2051-1: important: Security updateMailing List;Third Party Advisory
-
https://www.oracle.com/security-alerts/cpuapr2020.html
Oracle Critical Patch Update Advisory - April 2020Third Party Advisory
-
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E
Pony Mail!Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E
Pony Mail!Mailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2946
RHSA-2019:2946 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_
-
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Page not found | OraclePatch;Third Party Advisory
-
https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36%40%3Ccvs.httpd.apache.org%3E
Apache Mail Archives
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/
[SECURITY] Fedora 30 Update: mod_http2-1.15.3-2.fc30 - package-announce - Fedora Mailing-Lists
-
https://www.synology.com/security/advisory/Synology_SA_19_33
Synology Inc.Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/
[SECURITY] Fedora 29 Update: nodejs-10.16.3-1.fc29 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/
[SECURITY] Fedora 30 Update: nodejs-10.16.3-1.fc30 - package-announce - Fedora Mailing-Lists
-
https://access.redhat.com/errata/RHSA-2019:2955
RHSA-2019:2955 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E
svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/-Apache Mail Archives
-
https://support.f5.com/csp/article/K02591030?utm_source=f5support&%3Butm_medium=RSS
Article Detail
-
https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538%40%3Ccvs.httpd.apache.org%3E
Apache Mail Archives
-
https://security.gentoo.org/glsa/201909-04
Apache: Multiple vulnerabilities (GLSA 201909-04) — Gentoo securityThird Party Advisory
-
https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3Ccvs.httpd.apache.org%3E
Apache Mail Archives
-
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_
-
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E
svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html sMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2925
RHSA-2019:2925 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/ec97fdfc1a859266e56fef084353a34e0a0b08901b3c1aa317a43c8c%40%3Cdev.httpd.apache.org%3E
CVE-2019-10097 vs. CHANGEs entry-Apache Mail Archives
-
https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E
svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/ - Pony MailMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2893
RHSA-2019:2893 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2949
RHSA-2019:2949 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://security.netapp.com/advisory/ntap-20190905-0003/
September 2019 Apache HTTP Server Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/ - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/d89f999e26dfb1d50f247ead1fe8538014eb412b2dbe5be4b1a9ef50@%3Cdev.httpd.apache.org%3E
Pony Mail!Issue Tracking;Third Party Advisory
-
https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d@%3Ccvs.httpd.apache.org%3E
svn commit: r1073139 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/json/ - Pony MailMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2950
RHSA-2019:2950 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/4610762456644181b267c846423b3a990bd4aaea1886ecc7d51febdb@%3Cannounce.httpd.apache.org%3E
CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers - Pony MailIssue Tracking;Third Party Advisory
-
https://kb.cert.org/vuls/id/605641/
VU#605641 - HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustionThird Party Advisory;US Government Resource
-
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E
svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_Issue Tracking;Third Party Advisory
-
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/-Apache Mail Archives
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html
[security-announce] openSUSE-SU-2019:2114-1: important: Security updateMailing List;Third Party Advisory
-
https://www.debian.org/security/2019/dsa-4509
Debian -- Security Information -- DSA-4509-1 apache2Third Party Advisory
-
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
Pony Mail!Mailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3935
RHSA-2019:3935 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://support.f5.com/csp/article/K02591030
Third Party Advisory
-
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E
svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_2
-
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
security-bulletins/2019-002.md at master · Netflix/security-bulletins · GitHubThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3932
RHSA-2019:3932 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://support.f5.com/csp/article/K02591030?utm_source=f5support&utm_medium=RSS
Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:3933
RHSA-2019:3933 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/4610762456644181b267c846423b3a990bd4aaea1886ecc7d51febdb%40%3Cannounce.httpd.apache.org%3E
CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workers-Apache Mail Archives
-
https://security.netapp.com/advisory/ntap-20190823-0003/
CVE-2019-9517 Apache HTTP Server Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E
svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_2Mailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2019/08/15/7
oss-security - CVE-2019-9517: mod_http2, DoS attack by exhausting h2 workersMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/
[SECURITY] Fedora 29 Update: nodejs-10.16.3-1.fc29 - package-announce - Fedora Mailing-Lists
-
https://security.netapp.com/advisory/ntap-20190823-0005/
August 2019 Node.js Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/
[SECURITY] Fedora 30 Update: nodejs-10.16.3-1.fc30 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36@%3Ccvs.httpd.apache.org%3E
Pony Mail!Mailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538@%3Ccvs.httpd.apache.org%3E
svn commit: r1888194 [12/13] - /httpd/site/trunk/content/security/json/ - Pony MailMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/d89f999e26dfb1d50f247ead1fe8538014eb412b2dbe5be4b1a9ef50%40%3Cdev.httpd.apache.org%3E
Re: CVE-2019-10097 vs. CHANGEs entry-Apache Mail Archives
-
https://kc.mcafee.com/corporate/index?page=content&id=SB10296
McAfee Security Bulletin - Updates and product status for HTTP/2 vulnerabilities (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518Third Party Advisory
-
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/
[SECURITY] Fedora 30 Update: mod_http2-1.15.3-2.fc30 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html
[security-announce] openSUSE-SU-2019:2115-1: important: Security updateMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/-Apache Mail Archives
-
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html s
-
https://lists.apache.org/thread.html/ec97fdfc1a859266e56fef084353a34e0a0b08901b3c1aa317a43c8c@%3Cdev.httpd.apache.org%3E
CVE-2019-10097 vs. CHANGEs entry - Pony MailIssue Tracking;Third Party Advisory
Jump to