Bugzilla – Bug 1145662
VUL-0: CVE-2019-9518: netty: HTTP/2 implementation is vulnerable to a flood of empty frames, potentially leading to a denial of service
Last modified: 2022-04-15 14:03:46 UTC
CVE-2019-9518 Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9518 http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9518.html http://www.cvedetails.com/cve/CVE-2019-9518/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518 https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md https://kb.cert.org/vuls/id/605641/ https://seclists.org/bugtraq/2019/Aug/24
Assigned to Silvio (see https://bugzilla.novell.com/show_bug.cgi?id=1145663#c5)
See proposed resolution in https://bugzilla.novell.com/show_bug.cgi?id=1145663#c7 Re-assigning to security team.
Done.