Bug 1145662 - (CVE-2019-9518) VUL-0: CVE-2019-9518: netty: HTTP/2 implementation is vulnerable to a flood of empty frames, potentially leading to a denial of service
(CVE-2019-9518)
VUL-0: CVE-2019-9518: netty: HTTP/2 implementation is vulnerable to a flood o...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/239521/
CVSSv3.1:SUSE:CVE-2019-9518:7.5:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-14 16:09 UTC by Robert Frohl
Modified: 2022-04-15 14:03 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2019-08-14 16:09:16 UTC
CVE-2019-9518

Some HTTP/2 implementations are vulnerable to a flood of empty frames,
potentially leading to a denial of service. The attacker sends a stream of
frames with an empty payload and without the end-of-stream flag. These frames
can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time
processing each frame disproportionate to attack bandwidth. This can consume
excess CPU.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9518
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9518.html
http://www.cvedetails.com/cve/CVE-2019-9518/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://kb.cert.org/vuls/id/605641/
https://seclists.org/bugtraq/2019/Aug/24
Comment 1 Julio González Gil 2019-09-09 06:54:29 UTC
Assigned to Silvio (see https://bugzilla.novell.com/show_bug.cgi?id=1145663#c5)
Comment 2 Silvio Moioli 2020-02-17 12:06:36 UTC
See proposed resolution in https://bugzilla.novell.com/show_bug.cgi?id=1145663#c7

Re-assigning to security team.
Comment 3 Gabriele Sonnu 2022-04-15 14:03:46 UTC
Done.