Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

References
Link Providers
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00004.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html cve-icon cve-icon
http://www.openwall.com/lists/oss-security/2019/08/15/7 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2893 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2925 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2939 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2946 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2949 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2950 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:2955 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3932 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3933 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2019:3935 cve-icon cve-icon
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md cve-icon cve-icon cve-icon
https://kb.cert.org/vuls/id/605641/ cve-icon cve-icon cve-icon
https://kc.mcafee.com/corporate/index?page=content&id=SB10296 cve-icon cve-icon
https://lists.apache.org/thread.html/4610762456644181b267c846423b3a990bd4aaea1886ecc7d51febdb%40%3Cannounce.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/d89f999e26dfb1d50f247ead1fe8538014eb412b2dbe5be4b1a9ef50%40%3Cdev.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/ec97fdfc1a859266e56fef084353a34e0a0b08901b3c1aa317a43c8c%40%3Cdev.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BP556LEG3WENHZI5TAQ6ZEBFTJB4E2IS/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/ cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XHTKU7YQ5EEP2XNSAV4M4VJ7QCBOJMOD/ cve-icon cve-icon
https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2019-9517 cve-icon
https://seclists.org/bugtraq/2019/Aug/47 cve-icon cve-icon
https://security.gentoo.org/glsa/201909-04 cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20190823-0003/ cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20190823-0005/ cve-icon cve-icon
https://security.netapp.com/advisory/ntap-20190905-0003/ cve-icon cve-icon
https://support.f5.com/csp/article/K02591030 cve-icon cve-icon
https://support.f5.com/csp/article/K02591030?utm_source=f5support&amp%3Butm_medium=RSS cve-icon cve-icon
https://usn.ubuntu.com/4113-1/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2019-9517 cve-icon
https://www.debian.org/security/2019/dsa-4509 cve-icon cve-icon
https://www.oracle.com/security-alerts/cpuapr2020.html cve-icon cve-icon
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html cve-icon cve-icon
https://www.synology.com/security/advisory/Synology_SA_19_33 cve-icon cve-icon
History

Tue, 14 Jan 2025 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:synology:diskstation_manager:6.2:*:*:*:*:*:*:* cpe:2.3:o:synology:diskstation_manager:6.2:*:*:*:*:*:*:*

cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2024-08-04T21:54:44.675Z

Reserved: 2019-03-01T00:00:00

Link: CVE-2019-9517

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2019-08-13T21:15:12.647

Modified: 2025-01-14T19:29:55.853

Link: CVE-2019-9517

cve-icon Redhat

Severity : Important

Publid Date: 2019-08-13T00:00:00Z

Links: CVE-2019-9517 - Bugzilla

cve-icon OpenCVE Enrichment

No data.