Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service
CVE-2019-9517

7.5HIGH

Key Information:

Vendor
Apple
Status
Swiftnio
Vendor
CVE Published:
13 August 2019

Summary

Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both.

References

https://kb.cert.org/vuls/id/605641/
third-party-advisoryx_refsource_CERT-VN
https://github.com/Netflix/security-bulletins/blob/master...
x_refsource_MISC
https://lists.apache.org/thread.html/4610762456644181b267...
mailing-listx_refsource_MLIST

EPSS Score

8% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Thanks to Jonathan Looney of Netflix for reporting this vulnerability.
.