Your submission was sent successfully! Close

CVE-2019-9518

Published: 13 August 2019

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.

From the Ubuntu security team

It was discovered that Netty incorrectly implements HTTP/2. An attacker could possibly use this issue to cause a denial of service.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
netty
Launchpad, Ubuntu, Debian
bionic Needed

disco Ignored
(reached end-of-life)
eoan Ignored
(reached end-of-life)
focal Needed

groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Ignored
(reached end-of-life)
jammy Needed

precise Does not exist

trusty Not vulnerable
(code not preent)
upstream Needs triage

xenial Not vulnerable
(code not present)
trafficserver
Launchpad, Ubuntu, Debian
bionic Needs triage

focal Not vulnerable
(8.0.5+ds-3)
groovy Ignored
(reached end-of-life)
hirsute Ignored
(reached end-of-life)
impish Ignored
(reached end-of-life)
jammy Needs triage

precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Ignored
(end of standard support, was needs-triage)