Your submission was sent successfully! Close

CVE-2019-9517

Published: 13 August 2019

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.

Notes

AuthorNote
sbeattie
apache2 2.4.18 in xenial does not build mod_http2

Mitigation

Disable http2 support
Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
bionic
Released (2.4.29-1ubuntu4.10)
cosmic Ignored
(reached end-of-life)
disco
Released (2.4.38-2ubuntu2.2)
precise Not vulnerable
(http2 support not implemented)
trusty Not vulnerable
(http2 support not implemented)
upstream
Released (2.4.41-1)
xenial Not vulnerable
(code not built)