Bug 1145662 (CVE-2019-9518) - VUL-0: CVE-2019-9518: netty: HTTP/2 implementation is vulnerable to a flood of empty frames, potentially leading to a denial of service
Summary: VUL-0: CVE-2019-9518: netty: HTTP/2 implementation is vulnerable to a flood o...
Status: RESOLVED FIXED
Alias: CVE-2019-9518
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/239521/
Whiteboard: CVSSv3.1:SUSE:CVE-2019-9518:7.5:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-14 16:09 UTC by Robert Frohl
Modified: 2022-04-15 14:03 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2019-08-14 16:09:16 UTC
CVE-2019-9518

Some HTTP/2 implementations are vulnerable to a flood of empty frames,
potentially leading to a denial of service. The attacker sends a stream of
frames with an empty payload and without the end-of-stream flag. These frames
can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time
processing each frame disproportionate to attack bandwidth. This can consume
excess CPU.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9518
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9518.html
http://www.cvedetails.com/cve/CVE-2019-9518/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
https://kb.cert.org/vuls/id/605641/
https://seclists.org/bugtraq/2019/Aug/24
Comment 1 Julio González Gil 2019-09-09 06:54:29 UTC
Assigned to Silvio (see https://bugzilla.novell.com/show_bug.cgi?id=1145663#c5)
Comment 2 Silvio Moioli 2020-02-17 12:06:36 UTC
See proposed resolution in https://bugzilla.novell.com/show_bug.cgi?id=1145663#c7

Re-assigning to security team.
Comment 3 Gabriele Sonnu 2022-04-15 14:03:46 UTC
Done.