Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service
CVE-2019-9518

7.5HIGH

Key Information:

Vendor
Apple
Status
Swiftnio
Vendor
CVE Published:
13 August 2019

Summary

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.

References

https://kb.cert.org/vuls/id/605641/
third-party-advisoryx_refsource_CERT-VN
https://github.com/Netflix/security-bulletins/blob/master...
x_refsource_MISC
https://seclists.org/bugtraq/2019/Aug/24
mailing-listx_refsource_BUGTRAQ

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Thanks to Piotr Sikora of Google for reporting this vulnerability.
.