CVE-2019-9516

high-risk

Published 2019-08-13

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory.

Do I need to act?

2.2% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Swiftnio

Traffic Server

Ubuntu Linux

Debian Linux

Fedora

Skynas

Diskstation Manager

Vs960Hd Firmware

Fedora

Leap

Jboss Core Services

Jboss Enterprise Application Platform

Openshift Service Mesh

Quay

Affected Vendors

Debian Redhat Apache Apple Oracle F5 Mcafee Canonical Fedoraproject Opensuse Synology Nodejs

References (74)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00035.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00014.html

Mailing List http://seclists.org/fulldisclosure/2019/Aug/16

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2745

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2746

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2775

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2799

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2925

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2939

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2946

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2950

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2955

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2966

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:3932

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:3933

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:3935

Third Party Advisory https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party...

Third Party Advisory https://kb.cert.org/vuls/id/605641/

and 54 more references

/ 100

high-risk

Severity 24/34 · High

Exploitability 5/34 · Minimal

Exposure 22/34 · High