CVE-2019-9518 : Some HTTP/2 implementations are vulnerable to a flood of empty frames, potential

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.

Published 2019-08-13 21:15:13

Updated 2025-01-14 19:29:56

Source CERT/CC

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2019-9518

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 7.2.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Enterprise Application Platform » Version: 7.3.0
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.0:*:*:*:*:*:*:*
Matching versions
Redhat » Software Collections » Version: 1.0
cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
Matching versions
Redhat » Jboss Core Services » Version: 1.0
cpe:2.3:a:redhat:jboss_core_services:1.0:*:*:*:*:*:*:*
Matching versions
Redhat » Quay » Version: 3.0.0
cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*
Matching versions
Redhat » Openshift Service Mesh » Version: 1.0
cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*
Matching versions
Apache » Traffic Server
Versions from including (>=) 7.0.0 and up to, including, (<=) 7.1.6
cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
Matching versions
Apache » Traffic Server
Versions from including (>=) 8.0.0 and up to, including, (<=) 8.0.3
cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
Matching versions
Apache » Traffic Server
Versions from including (>=) 6.0.0 and up to, including, (<=) 6.2.3
cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*
Matching versions
Apple » Swiftnio
Versions from including (>=) 1.0.0 and up to, including, (<=) 1.4.0
cpe:2.3:a:apple:swiftnio:*:*:*:*:*:*:*:*
Matching versions
When used together with: Apple » Mac Os X
When used together with: Canonical » Ubuntu Linux
Oracle » Graalvm » Version: 19.2.0 Enterprise Edition
cpe:2.3:a:oracle:graalvm:19.2.0:*:*:*:enterprise:*:*:*
Matching versions
Mcafee » Web Gateway
Versions from including (>=) 8.1.0 and before (<) 8.2.0
cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*
Matching versions
Mcafee » Web Gateway
Versions from including (>=) 7.8.2.0 and before (<) 7.8.2.13
cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*
Matching versions
Mcafee » Web Gateway
Versions from including (>=) 7.7.2.0 and before (<) 7.7.2.24
cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 18.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 19.04
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 29
cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 30
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.0
cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
Matching versions
Opensuse » Leap » Version: 15.1
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Matching versions
Synology » Skynas » Version: N/A
cpe:2.3:a:synology:skynas:-:*:*:*:*:*:*:*
Matching versions
Synology » Vs960hd Firmware » Version: N/A
cpe:2.3:o:synology:vs960hd_firmware:-:*:*:*:*:*:*:*
Matching versions
When used together with: Synology » Vs960hd » Version: N/A
Synology » Diskstation Manager » Version: 6.2
cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*
Matching versions
Nodejs » Node.js » LTS Edition
Versions from including (>=) 10.13.0 and before (<) 10.16.3
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
Matching versions
Nodejs » Node.js » LTS Edition
Versions from including (>=) 8.9.0 and before (<) 8.16.1
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*
Matching versions
Nodejs » Node.js »
Versions from including (>=) 10.0.0 and up to, including, (<=) 10.12.0
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Matching versions
Nodejs » Node.js »
Versions from including (>=) 8.0.0 and up to, including, (<=) 8.8.1
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Matching versions
Nodejs » Node.js »
Versions from including (>=) 12.0.0 and before (<) 12.8.1
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*
Matching versions

Threat overview for CVE-2019-9518

Top countries where our scanners detected CVE-2019-9518

Top open port discovered on systems with this issue 53

IPs affected by CVE-2019-9518 58,437

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2019-9518!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2019-9518

EPSS FAQ

3.67%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 87 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-9518

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.8	HIGH	AV:N/AC:L/Au:N/C:N/I:N/A:C	10.0	6.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete
7.5	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	CERT/CC
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2019-9518

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource.

Assigned by: cret@cert.org (Secondary)
CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-9518

https://support.f5.com/csp/article/K46011592

Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2939

RHSA-2019:2939 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rd31230d01fa6aad18bdadc0720acd1747e53690bd35f73a48e7a9b75%40%3Ccommits.cassandra.apache.org%3E

[jira] [Updated] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty-Apache Mail Archives
https://www.synology.com/security/advisory/Synology_SA_19_33

Synology Inc.
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/

[SECURITY] Fedora 29 Update: nodejs-10.16.3-1.fc29 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/

[SECURITY] Fedora 30 Update: nodejs-10.16.3-1.fc30 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:2955

RHSA-2019:2955 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:2925

RHSA-2019:2925 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2019/dsa-4520

Debian -- Security Information -- DSA-4520-1 trafficserver
Third Party Advisory

CVEs referencing this url
http://seclists.org/fulldisclosure/2019/Aug/16

Full Disclosure: APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107%40%3Cdev.trafficserver.apache.org%3E

ATS is vulnerable to a HTTP/2 attack with empty frames-Apache Mail Archives
https://lists.apache.org/thread.html/rd31230d01fa6aad18bdadc0720acd1747e53690bd35f73a48e7a9b75@%3Ccommits.cassandra.apache.org%3E

Pony Mail!
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61%40%3Cusers.trafficserver.apache.org%3E

ATS is vulnerable to a HTTP/2 attack with empty frames-Apache Mail Archives
https://lists.apache.org/thread.html/r99a625fb17032646d96cd23dec49603ff630e9318e44a686d63046bc@%3Ccommits.cassandra.apache.org%3E

Pony Mail!
Mailing List;Third Party Advisory
https://seclists.org/bugtraq/2019/Sep/18

Bugtraq: [SECURITY] [DSA 4520-1] trafficserver security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://kb.cert.org/vuls/id/605641/

VU#605641 - HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion
Third Party Advisory;US Government Resource

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html

[security-announce] openSUSE-SU-2019:2114-1: important: Security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://seclists.org/bugtraq/2019/Aug/24

Bugtraq: APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0
Mailing List;Third Party Advisory

CVEs referencing this url
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

security-bulletins/2019-002.md at master · Netflix/security-bulletins · GitHub
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d%40%3Cannounce.trafficserver.apache.org%3E

ATS is vulnerable to a HTTP/2 attack with empty frames-Apache Mail Archives
https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107@%3Cdev.trafficserver.apache.org%3E

ATS is vulnerable to a HTTP/2 attack with empty frames - Pony Mail
Issue Tracking;Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3892

RHSA-2019:3892 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d@%3Cannounce.trafficserver.apache.org%3E

ATS is vulnerable to a HTTP/2 attack with empty frames - Pony Mail
Issue Tracking;Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:4352

RHSA-2019:4352 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/

[SECURITY] Fedora 29 Update: nodejs-10.16.3-1.fc29 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20190823-0005/

August 2019 Node.js Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E

[GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://support.f5.com/csp/article/K46011592?utm_source=f5support&utm_medium=RSS

Third Party Advisory
https://support.f5.com/csp/article/K46011592?utm_source=f5support&amp%3Butm_medium=RSS

Article Detail
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/

[SECURITY] Fedora 30 Update: nodejs-10.16.3-1.fc30 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://kc.mcafee.com/corporate/index?page=content&id=SB10296

McAfee Security Bulletin - Updates and product status for HTTP/2 vulnerabilities (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518
Third Party Advisory

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html

[security-announce] openSUSE-SU-2019:2115-1: important: Security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61@%3Cusers.trafficserver.apache.org%3E

ATS is vulnerable to a HTTP/2 attack with empty frames - Pony Mail
Issue Tracking;Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0727

RHSA-2020:0727 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E

[GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities-Apache Mail Archives

CVEs referencing this url
https://lists.apache.org/thread.html/r99a625fb17032646d96cd23dec49603ff630e9318e44a686d63046bc%40%3Ccommits.cassandra.apache.org%3E

[jira] [Created] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty-Apache Mail Archives