{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "credits": [{"lang": "en", "value": "Thanks to Piotr Sikora of Google for reporting this vulnerability."}], "descriptions": [{"lang": "en", "value": "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-26T16:06:12", "orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc"}, "references": [{"name": "VU#605641", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "https://kb.cert.org/vuls/id/605641/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"}, {"name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Aug/24"}, {"name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/Aug/16"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.f5.com/csp/article/K46011592"}, {"name": "[trafficserver-announce] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d%40%3Cannounce.trafficserver.apache.org%3E"}, {"name": "[trafficserver-users] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61%40%3Cusers.trafficserver.apache.org%3E"}, {"name": "[trafficserver-dev] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107%40%3Cdev.trafficserver.apache.org%3E"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"}, {"name": "FEDORA-2019-5a6a7bc12c", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"}, {"name": "FEDORA-2019-6a2980de56", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"}, {"name": "DSA-4520", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2019/dsa-4520"}, {"name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Sep/18"}, {"name": "openSUSE-SU-2019:2114", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"}, {"name": "openSUSE-SU-2019:2115", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10296"}, {"name": "RHSA-2019:2925", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2925"}, {"name": "RHSA-2019:2939", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2939"}, {"name": "RHSA-2019:2955", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2955"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://support.f5.com/csp/article/K46011592?utm_source=f5support&amp%3Butm_medium=RSS"}, {"name": "RHSA-2019:3892", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:3892"}, {"name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"}, {"name": "RHSA-2019:4352", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:4352"}, {"name": "RHSA-2020:0727", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2020:0727"}, {"name": "[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r99a625fb17032646d96cd23dec49603ff630e9318e44a686d63046bc%40%3Ccommits.cassandra.apache.org%3E"}, {"name": "[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/rd31230d01fa6aad18bdadc0720acd1747e53690bd35f73a48e7a9b75%40%3Ccommits.cassandra.apache.org%3E"}], "source": {"discovery": "UNKNOWN"}, "title": "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service", "x_generator": {"engine": "Vulnogram 0.0.7"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "HTTP/2 Empty Frame Flooding", "ASSIGNER": "cert@cert.org", "ID": "CVE-2019-9518", "STATE": "PUBLIC", "TITLE": "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "credit": [{"lang": "eng", "value": "Thanks to Piotr Sikora of Google for reporting this vulnerability."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU."}]}, "generator": {"engine": "Vulnogram 0.0.7"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400 Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "VU#605641", "refsource": "CERT-VN", "url": "https://kb.cert.org/vuls/id/605641/"}, {"name": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", "refsource": "MISC", "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"}, {"name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Aug/24"}, {"name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/Aug/16"}, {"name": "https://www.synology.com/security/advisory/Synology_SA_19_33", "refsource": "CONFIRM", "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"}, {"name": "https://support.f5.com/csp/article/K46011592", "refsource": "CONFIRM", "url": "https://support.f5.com/csp/article/K46011592"}, {"name": "[trafficserver-announce] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d@%3Cannounce.trafficserver.apache.org%3E"}, {"name": "[trafficserver-users] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61@%3Cusers.trafficserver.apache.org%3E"}, {"name": "[trafficserver-dev] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107@%3Cdev.trafficserver.apache.org%3E"}, {"name": "https://security.netapp.com/advisory/ntap-20190823-0005/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"}, {"name": "FEDORA-2019-5a6a7bc12c", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"}, {"name": "FEDORA-2019-6a2980de56", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"}, {"name": "DSA-4520", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4520"}, {"name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Sep/18"}, {"name": "openSUSE-SU-2019:2114", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"}, {"name": "openSUSE-SU-2019:2115", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"}, {"name": "https://kc.mcafee.com/corporate/index?page=content&id=SB10296", "refsource": "CONFIRM", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10296"}, {"name": "RHSA-2019:2925", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2925"}, {"name": "RHSA-2019:2939", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2939"}, {"name": "RHSA-2019:2955", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2955"}, {"name": "https://support.f5.com/csp/article/K46011592?utm_source=f5support&utm_medium=RSS", "refsource": "CONFIRM", "url": "https://support.f5.com/csp/article/K46011592?utm_source=f5support&utm_medium=RSS"}, {"name": "RHSA-2019:3892", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:3892"}, {"name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E"}, {"name": "RHSA-2019:4352", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:4352"}, {"name": "RHSA-2020:0727", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2020:0727"}, {"name": "[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r99a625fb17032646d96cd23dec49603ff630e9318e44a686d63046bc@%3Ccommits.cassandra.apache.org%3E"}, {"name": "[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd31230d01fa6aad18bdadc0720acd1747e53690bd35f73a48e7a9b75@%3Ccommits.cassandra.apache.org%3E"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T21:54:44.510Z"}, "title": "CVE Program Container", "references": [{"name": "VU#605641", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "https://kb.cert.org/vuls/id/605641/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"}, {"name": "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Aug/24"}, {"name": "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2019/Aug/16"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.f5.com/csp/article/K46011592"}, {"name": "[trafficserver-announce] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d%40%3Cannounce.trafficserver.apache.org%3E"}, {"name": "[trafficserver-users] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61%40%3Cusers.trafficserver.apache.org%3E"}, {"name": "[trafficserver-dev] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107%40%3Cdev.trafficserver.apache.org%3E"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"}, {"name": "FEDORA-2019-5a6a7bc12c", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"}, {"name": "FEDORA-2019-6a2980de56", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"}, {"name": "DSA-4520", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2019/dsa-4520"}, {"name": "20190910 [SECURITY] [DSA 4520-1] trafficserver security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Sep/18"}, {"name": "openSUSE-SU-2019:2114", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"}, {"name": "openSUSE-SU-2019:2115", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10296"}, {"name": "RHSA-2019:2925", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2925"}, {"name": "RHSA-2019:2939", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2939"}, {"name": "RHSA-2019:2955", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2955"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://support.f5.com/csp/article/K46011592?utm_source=f5support&amp%3Butm_medium=RSS"}, {"name": "RHSA-2019:3892", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:3892"}, {"name": "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"}, {"name": "RHSA-2019:4352", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:4352"}, {"name": "RHSA-2020:0727", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2020:0727"}, {"name": "[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r99a625fb17032646d96cd23dec49603ff630e9318e44a686d63046bc%40%3Ccommits.cassandra.apache.org%3E"}, {"name": "[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/rd31230d01fa6aad18bdadc0720acd1747e53690bd35f73a48e7a9b75%40%3Ccommits.cassandra.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "assignerShortName": "certcc", "cveId": "CVE-2019-9518", "datePublished": "2019-08-13T20:50:59", "dateReserved": "2019-03-01T00:00:00", "dateUpdated": "2024-08-04T21:54:44.510Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apple:swiftnio:*:*:*:*:*:*:*:*", "matchCriteriaId": "93988E60-006B-434D-AB16-1FA1D2FEBC2A", "versionEndIncluding": "1.4.0", "versionStartIncluding": "1.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*", "matchCriteriaId": "1D294D56-E784-4DA8-9C2C-BC5A05C92C0C", "versionStartIncluding": "10.12", "vulnerable": false}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:*:*:*:*:*:*:*:*", "matchCriteriaId": "65B1D2F6-BC1F-47AF-B4E6-4B50986AC622", "versionStartIncluding": "14.04", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "603BF43B-FC99-4039-A3C0-467F015A32FA", "versionEndIncluding": "6.2.3", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "07BB02CE-D4F2-459C-B0C6-FF78BF7996AE", "versionEndIncluding": "7.1.6", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:traffic_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "D875E0D8-D109-4F7F-A4C4-9EDD66CEE74E", "versionEndIncluding": "8.0.3", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*", "matchCriteriaId": "CD783B0C-9246-47D9-A937-6144FE8BFF0F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:synology:diskstation_manager:6.2:*:*:*:*:*:*:*", "matchCriteriaId": "022A0BC6-2C70-406D-8D60-EC6F9F6A90CA", "vulnerable": true}, {"criteria": "cpe:2.3:a:synology:skynas:-:*:*:*:*:*:*:*", "matchCriteriaId": "7C997777-BE79-4F77-90D7-E1A71D474D88", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:synology:vs960hd_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "3D0C5120-B961-440F-B454-584BC54B549C", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:synology:vs960hd:-:*:*:*:*:*:*:*", "matchCriteriaId": "1CCBDFF9-AF42-4681-879B-CF789EBAD130", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "matchCriteriaId": "D100F7CE-FC64-4CC6-852A-6136D72DA419", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_core_services:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "A2466282-51AB-478D-9FF4-FA524265ED2E", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "0952BA1A-5DF9-400F-B01F-C3A398A8A2D4", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "8B157A2D-3422-4224-82D9-15AB3B989075", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_service_mesh:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "732F14CE-7994-4DD2-A28B-AE9E79826C01", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:quay:3.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "B1987BDA-0113-4603-B9BE-76647EB043F2", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "9D7EE4B6-A6EC-4B9B-91DF-79615796673F", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:graalvm:19.2.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "C120C2F1-D50D-49CC-8E96-207ACCA49674", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "765E9856-2748-4A8B-91F5-A4DB3C8C547A", "versionEndExcluding": "7.7.2.24", "versionStartIncluding": "7.7.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "EE6E66B1-3291-4E8E-93D6-30E9FDCF983E", "versionEndExcluding": "7.8.2.13", "versionStartIncluding": "7.8.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcafee:web_gateway:*:*:*:*:*:*:*:*", "matchCriteriaId": "227104AD-396D-4ADD-87C7-C4CD5583DA04", "versionEndExcluding": "8.2.0", "versionStartIncluding": "8.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "74FB695D-2C76-47AB-988E-5629D2E695E5", "versionEndIncluding": "8.8.1", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "CFC0252A-DF1D-4CF4-B450-27267227B599", "versionEndExcluding": "8.16.1", "versionStartIncluding": "8.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "25A3180B-21AF-4010-9DAB-41ADFD2D8031", "versionEndIncluding": "10.12.0", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*", "matchCriteriaId": "2EC65858-FF7B-4171-82EA-80942D426F40", "versionEndExcluding": "10.16.3", "versionStartIncluding": "10.13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*", "matchCriteriaId": "F522C500-AA33-4029-865F-F27FB00A354E", "versionEndExcluding": "12.8.1", "versionStartIncluding": "12.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU."}, {"lang": "es", "value": "Algunas implementaciones de HTTP / 2 son vulnerables a una avalancha de tramas vac\u00edas, lo que puede conducir a una denegaci\u00f3n de servicio. El atacante env\u00eda una secuencia de tramas con una carga \u00fatil vac\u00eda y sin el indicador de fin de secuencia. Estos marcos pueden ser DATA, HEADERS, CONTINUATION y / o PUSH_PROMISE. El par pasa tiempo procesando cada cuadro desproporcionado para atacar el ancho de banda. Esto puede consumir un exceso de CPU."}], "id": "CVE-2019-9518", "lastModified": "2023-11-07T03:13:43.380", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "cret@cert.org", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-08-13T21:15:13.003", "references": [{"source": "cret@cert.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html"}, {"source": "cret@cert.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html"}, {"source": "cret@cert.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/Aug/16"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:2925"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:2939"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:2955"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3892"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:4352"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2020:0727"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://kb.cert.org/vuls/id/605641/"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10296"}, {"source": "cret@cert.org", "url": "https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61%40%3Cusers.trafficserver.apache.org%3E"}, {"source": "cret@cert.org", "url": "https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d%40%3Cannounce.trafficserver.apache.org%3E"}, {"source": "cret@cert.org", "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E"}, {"source": "cret@cert.org", "url": "https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107%40%3Cdev.trafficserver.apache.org%3E"}, {"source": "cret@cert.org", "url": "https://lists.apache.org/thread.html/r99a625fb17032646d96cd23dec49603ff630e9318e44a686d63046bc%40%3Ccommits.cassandra.apache.org%3E"}, {"source": "cret@cert.org", "url": "https://lists.apache.org/thread.html/rd31230d01fa6aad18bdadc0720acd1747e53690bd35f73a48e7a9b75%40%3Ccommits.cassandra.apache.org%3E"}, {"source": "cret@cert.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/"}, {"source": "cret@cert.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/"}, {"source": "cret@cert.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2019/Aug/24"}, {"source": "cret@cert.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2019/Sep/18"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20190823-0005/"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://support.f5.com/csp/article/K46011592"}, {"source": "cret@cert.org", "url": "https://support.f5.com/csp/article/K46011592?utm_source=f5support&amp%3Butm_medium=RSS"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2019/dsa-4520"}, {"source": "cret@cert.org", "tags": ["Third Party Advisory"], "url": "https://www.synology.com/security/advisory/Synology_SA_19_33"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "cret@cert.org", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank the Envoy security team for reporting this issue.", "affected_release": [{"advisory": "RHSA-2020:0922", "cpe": "cpe:/a:redhat:amq_broker:7", "impact": "moderate", "package": "jetty", "product_name": "Red Hat AMQ", "release_date": "2020-03-23T00:00:00Z"}, {"advisory": "RHSA-2020:1445", "cpe": "cpe:/a:redhat:amq_broker:7", "impact": "moderate", "package": "jetty", "product_name": "Red Hat AMQ 7.4.3", "release_date": "2020-04-14T00:00:00Z"}, {"advisory": "RHSA-2020:0727", "cpe": "cpe:/a:redhat:jboss_data_grid:7.3", "package": "netty", "product_name": "Red Hat Data Grid 7.3.3", "release_date": "2020-03-05T00:00:00Z"}, {"advisory": "RHSA-2020:3196", "cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7.8", "package": "netty", "product_name": "Red Hat Decision Manager 7", "release_date": "2020-07-29T00:00:00Z"}, {"advisory": "RHSA-2019:2925", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "nodejs:10-8000020190911085529.f8e95b4e", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2019-09-30T00:00:00Z"}, {"advisory": "RHSA-2019:4352", "cpe": "cpe:/a:redhat:jboss_fuse:6.3", "package": "netty", "product_name": "Red Hat Fuse 6.3", "release_date": "2019-12-19T00:00:00Z"}, {"advisory": "RHSA-2019:3892", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "netty", "product_name": "Red Hat Fuse 7.5.0", "release_date": "2019-11-14T00:00:00Z"}, {"advisory": "RHSA-2020:0983", "cpe": "cpe:/a:redhat:jboss_fuse:7", "package": "undertow", "product_name": "Red Hat Fuse 7.6.0", "release_date": "2020-03-26T00:00:00Z"}, {"advisory": "RHSA-2020:3197", "cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8", "package": "netty", "product_name": "Red Hat Process Automation 7", "release_date": "2020-07-29T00:00:00Z"}, {"advisory": "RHSA-2019:2939", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-0:3.2-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2019-10-01T00:00:00Z"}, {"advisory": "RHSA-2019:2939", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-nodejs-0:10.16.3-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2019-10-01T00:00:00Z"}, {"advisory": "RHSA-2019:2955", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs8-0:3.0-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2019-10-02T00:00:00Z"}, {"advisory": "RHSA-2019:2955", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs8-nodejs-0:8.16.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2019-10-02T00:00:00Z"}, {"advisory": "RHSA-2019:2939", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-0:3.2-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2019-10-01T00:00:00Z"}, {"advisory": "RHSA-2019:2939", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-nodejs-0:10.16.3-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2019-10-01T00:00:00Z"}, {"advisory": "RHSA-2019:2955", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs8-0:3.0-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2019-10-02T00:00:00Z"}, {"advisory": "RHSA-2019:2955", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs8-nodejs-0:8.16.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2019-10-02T00:00:00Z"}, {"advisory": "RHSA-2019:2939", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-0:3.2-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2019-10-01T00:00:00Z"}, {"advisory": "RHSA-2019:2939", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-nodejs-0:10.16.3-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2019-10-01T00:00:00Z"}, {"advisory": "RHSA-2019:2955", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs8-0:3.0-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2019-10-02T00:00:00Z"}, {"advisory": "RHSA-2019:2955", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs8-nodejs-0:8.16.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2019-10-02T00:00:00Z"}, {"advisory": "RHSA-2019:2939", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-0:3.2-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2019-10-01T00:00:00Z"}, {"advisory": "RHSA-2019:2939", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs10-nodejs-0:10.16.3-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2019-10-01T00:00:00Z"}, {"advisory": "RHSA-2019:2955", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs8-0:3.0-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2019-10-02T00:00:00Z"}, {"advisory": "RHSA-2019:2955", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-nodejs8-nodejs-0:8.16.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2019-10-02T00:00:00Z"}], "bugzilla": {"description": "HTTP/2: flood using empty frames results in excessive resource consumption", "id": "1735749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1735749"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.", "A flaw was found in HTTP/2. Using frames with an empty payload, a flood could occur that results in excessive CPU usage and starvation of other clients. The highest threat from this vulnerability is to system availability."], "name": "CVE-2019-9518", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Not affected", "package_name": "nginx", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:service_mesh:0", "fix_state": "Not affected", "package_name": "maistra", "product_name": "OpenShift Service Mesh Tech Preview"}, {"cpe": "cpe:/a:redhat:amq_broker:7", "fix_state": "Affected", "package_name": "netty", "product_name": "Red Hat AMQ Broker 7"}, {"cpe": "cpe:/a:redhat:ansible_tower:3", "fix_state": "Not affected", "package_name": "nginx", "product_name": "Red Hat Ansible Tower 3"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "nginx:1.14/nginx", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Not affected", "package_name": "netty", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "jbossweb", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Will not fix", "impact": "low", "package_name": "undertow", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "impact": "moderate", "package_name": "undertow", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Affected", "package_name": "netty", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Out of support scope", "package_name": "rhoar-nodejs", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:openshift:3.10", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.10"}, {"cpe": "cpe:/a:redhat:openshift:3.10", "fix_state": "Not affected", "package_name": "nodejs", "product_name": "Red Hat OpenShift Container Platform 3.10"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.9", "fix_state": "Not affected", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.9"}, {"cpe": "cpe:/a:redhat:openshift:3.9", "fix_state": "Not affected", "package_name": "nodejs", "product_name": "Red Hat OpenShift Container Platform 3.9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "openshift", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "nodejs", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "netty", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Not affected", "package_name": "undertow", "product_name": "Red Hat Single Sign-On 7"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nginx110-nginx", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nginx112-nginx", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-nginx114-nginx", "product_name": "Red Hat Software Collections"}], "public_date": "2019-08-13T17:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-9518\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-9518\nhttps://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md\nhttps://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/"], "statement": "This flaw has no available mitigation for nodejs package. It will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.", "threat_severity": "Important", "upstream_fix": "undertow 2.0.26.SP2, undertow 2.0.27.Final, Nodejs 8.16.1, Nodejs 10.16.3, Nodejs 12.8.1, envoy 1.11.1"}