Action not permitted
Modal body text goes here.
Modal Title
Modal Body
rhsa-2019_4352
Vulnerability from csaf_redhat
Published
2019-12-19 17:37
Modified
2024-11-22 13:27
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R14 security and bug fix update
Notes
Topic
An update is now available for Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat Fuse provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat A-MQ is a standards compliant messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat Fuse 6.3 and Red Hat A-MQ 6.3. It includes bug fixes, which are documented in the patch notes accompanying the package on the download page. See the download link given in the references section below.
Security fix(es):
* zookeeper: Information disclosure in Apache ZooKeeper (CVE-2019-0201)
* HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)
* HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514)
* HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515)
* HTTP/2: flood using empty frames results in excessive resource consumption (CVE-2019-9518)
* xstream: remote code execution due to insecure XML deserialization (CVE-2019-10173)
* jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution (CVE-2019-12384)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Fuse 6.3 and Red Hat JBoss A-MQ 6.3.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat Fuse provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat A-MQ is a standards compliant messaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat Fuse 6.3 and Red Hat A-MQ 6.3. It includes bug fixes, which are documented in the patch notes accompanying the package on the download page. See the download link given in the references section below.\n\nSecurity fix(es):\n\n* zookeeper: Information disclosure in Apache ZooKeeper (CVE-2019-0201)\n\n* HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)\n\n* HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514)\n\n* HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515) \n\n* HTTP/2: flood using empty frames results in excessive resource consumption (CVE-2019-9518)\n\n* xstream: remote code execution due to insecure XML deserialization (CVE-2019-10173)\n\n* jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution (CVE-2019-12384)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2019:4352", url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq.broker&downloadType=securityPatches&version=6.3.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq.broker&downloadType=securityPatches&version=6.3.0", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3", }, { category: "external", summary: "https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html/release_notes/index", url: "https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html/release_notes/index", }, { category: "external", summary: "1715197", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1715197", }, { category: "external", summary: "1722971", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1722971", }, { category: "external", summary: "1725807", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1725807", }, { category: "external", summary: "1735645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1735645", }, { category: "external", summary: "1735744", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1735744", }, { category: "external", summary: "1735745", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1735745", }, { category: "external", summary: "1735749", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1735749", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_4352.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.3 R14 security and bug fix update", tracking: { current_release_date: "2024-11-22T13:27:38+00:00", generator: { date: "2024-11-22T13:27:38+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2019:4352", initial_release_date: "2019-12-19T17:37:50+00:00", revision_history: [ { date: "2019-12-19T17:37:50+00:00", number: "1", summary: "Initial version", }, { date: "2019-12-19T17:37:50+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T13:27:38+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Fuse 6.3", product: { name: "Red Hat Fuse 6.3", product_id: "Red Hat Fuse 6.3", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:6.3", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2019-0201", cwe: { id: "CWE-732", name: "Incorrect Permission Assignment for Critical Resource", }, discovery_date: "2019-05-20T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1715197", }, ], notes: [ { category: "description", text: "A flaw was found in Apache ZooKeeper. A lack of permission checks while retrieving ACLs allows unsalted hash values to be disclosed for unauthenticated or unprivileged users.", title: "Vulnerability description", }, { category: "summary", text: "zookeeper: Information disclosure in Apache ZooKeeper", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-0201", }, { category: "external", summary: "RHBZ#1715197", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1715197", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-0201", url: "https://www.cve.org/CVERecord?id=CVE-2019-0201", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-0201", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-0201", }, ], release_date: "2019-05-20T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-12-19T17:37:50+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { category: "workaround", details: "Use an authentication method other than Digest (e.g. Kerberos) or upgrade to zookeeper 3.4.14 or later (3.5.5 or later if on the 3.5 branch). [https://zookeeper.apache.org/security.html#CVE-2019-0201]", product_ids: [ "Red Hat Fuse 6.3", ], }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "zookeeper: Information disclosure in Apache ZooKeeper", }, { acknowledgments: [ { names: [ "the Envoy security team", ], }, ], cve: "CVE-2019-9512", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2019-08-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1735645", }, ], notes: [ { category: "description", text: "A flaw was found in HTTP/2. Using PING frames and queuing of response PING ACK frames, a flood attack could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.", title: "Vulnerability description", }, { category: "summary", text: "HTTP/2: flood using PING frames results in unbounded memory growth", title: "Vulnerability summary", }, { category: "other", text: "The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019.\nThis issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2.\nThe following storage product versions are affected because they include the support for HTTP/2 in:\n* golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3\n* heketi(embeds golang) as shipped with Red Hat Gluster Storage 3\n* grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3\nThis flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.\n\nAll OpenShift Container Platform RPMs and container images that are built with Go and support HTTP/2 are vulnerable to this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-9512", }, { category: "external", summary: "RHBZ#1735645", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1735645", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-9512", url: "https://www.cve.org/CVERecord?id=CVE-2019-9512", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-9512", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-9512", }, { category: "external", summary: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", url: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", }, { category: "external", summary: "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg", url: "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg", }, { category: "external", summary: "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA", url: "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA", }, { category: "external", summary: "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", url: "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", }, { category: "external", summary: "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", url: "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", }, ], release_date: "2019-08-13T17:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-12-19T17:37:50+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:4352", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "HTTP/2: flood using PING frames results in unbounded memory growth", }, { acknowledgments: [ { names: [ "the Envoy security team", ], }, ], cve: "CVE-2019-9514", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2019-08-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1735744", }, ], notes: [ { category: "description", text: "A flaw was found in HTTP/2. Using HEADER frames with invalid HTTP headers and queuing of response RST_STREAM frames, an attacker could cause a flood resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.", title: "Vulnerability description", }, { category: "summary", text: "HTTP/2: flood using HEADERS frames results in unbounded memory growth", title: "Vulnerability summary", }, { category: "other", text: "The golang package in Red Hat OpenStack Platform 9 Operational Tools will not be updated for this flaw because it is in technical preview and is retiring as of 24.Aug.2019.\nThis issue did not affect the versions of grafana(embeds golang) as shipped with Red Hat Ceph Storage 2 and Red Hat Gluster Storage 3 as they did not include the support for HTTP/2.\nThe following storage product versions are affected because they include the support for HTTP/2 in:\n* golang as shipped with Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and Red Hat Ceph Storage 3\n* heketi(embeds golang) as shipped with Red Hat Gluster Storage 3\n* grafana(embeds golang and grpc) as shipped with Red Hat Ceph Storage 3\nThis flaw has no available mitigation for packages golang and nodejs. Both packages will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.\n\nAll OpenShift Container Platform RPMs and container images that are built with Go and support HTTP/2 are vulnerable to this flaw.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-9514", }, { category: "external", summary: "RHBZ#1735744", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1735744", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-9514", url: "https://www.cve.org/CVERecord?id=CVE-2019-9514", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-9514", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-9514", }, { category: "external", summary: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", url: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", }, { category: "external", summary: "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg", url: "https://groups.google.com/forum/#!topic/golang-announce/65QixT3tcmg", }, { category: "external", summary: "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA", url: "https://groups.google.com/forum/#!topic/kubernetes-security-announce/wlHLHit1BqA", }, { category: "external", summary: "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", url: "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", }, { category: "external", summary: "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", url: "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", }, ], release_date: "2019-08-13T17:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-12-19T17:37:50+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:4352", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "HTTP/2: flood using HEADERS frames results in unbounded memory growth", }, { acknowledgments: [ { names: [ "the Envoy security team", ], }, ], cve: "CVE-2019-9515", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2019-08-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1735745", }, ], notes: [ { category: "description", text: "A flaw was found in HTTP/2. Using SETTINGS frames and queuing of SETTINGS ACK frames, a flood could occur resulting in unbounded memory growth. The highest threat from this vulnerability is to system availability.", title: "Vulnerability description", }, { category: "summary", text: "HTTP/2: flood using SETTINGS frames results in unbounded memory growth", title: "Vulnerability summary", }, { category: "other", text: "This issue affects the version of grafana(embeds gRPC) as shipped with Red Hat Ceph Storage 3 as it include the support for HTTP/2.\nThis flaw has no available mitigation for nodejs package. It will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-9515", }, { category: "external", summary: "RHBZ#1735745", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1735745", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-9515", url: "https://www.cve.org/CVERecord?id=CVE-2019-9515", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-9515", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-9515", }, { category: "external", summary: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", url: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", }, { category: "external", summary: "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", url: "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", }, { category: "external", summary: "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", url: "https://www.mail-archive.com/grpc-io@googlegroups.com/msg06408.html", }, ], release_date: "2019-08-13T17:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-12-19T17:37:50+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:4352", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "HTTP/2: flood using SETTINGS frames results in unbounded memory growth", }, { acknowledgments: [ { names: [ "the Envoy security team", ], }, ], cve: "CVE-2019-9518", cwe: { id: "CWE-400", name: "Uncontrolled Resource Consumption", }, discovery_date: "2019-08-01T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1735749", }, ], notes: [ { category: "description", text: "A flaw was found in HTTP/2. Using frames with an empty payload, a flood could occur that results in excessive CPU usage and starvation of other clients. The highest threat from this vulnerability is to system availability.", title: "Vulnerability description", }, { category: "summary", text: "HTTP/2: flood using empty frames results in excessive resource consumption", title: "Vulnerability summary", }, { category: "other", text: "This flaw has no available mitigation for nodejs package. It will be updated once the available fixes are released for Red Hat Enterprise Linux and Red Hat Software Collections.\n\nThe nodejs RPM shipped in OpenShift Container Platform 3.9 and 3.10 is not affected by this flaw as it does not contain the vulnerable code.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-9518", }, { category: "external", summary: "RHBZ#1735749", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1735749", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-9518", url: "https://www.cve.org/CVERecord?id=CVE-2019-9518", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-9518", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-9518", }, { category: "external", summary: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", url: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", }, { category: "external", summary: "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", url: "https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/", }, ], release_date: "2019-08-13T17:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-12-19T17:37:50+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:4352", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "HTTP/2: flood using empty frames results in excessive resource consumption", }, { cve: "CVE-2019-10173", cwe: { id: "CWE-94", name: "Improper Control of Generation of Code ('Code Injection')", }, discovery_date: "2019-06-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1722971", }, ], notes: [ { category: "description", text: "It was found that xstream API version 1.4.10 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. This a regression of CVE-2013-7285 fixed in 1.4.7 (fixed) as of BPMS 6.0.1, the regression was introduced with xstream-1.4.10 implemented in RHPAM.", title: "Vulnerability description", }, { category: "summary", text: "xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285)", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-10173", }, { category: "external", summary: "RHBZ#1722971", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1722971", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-10173", url: "https://www.cve.org/CVERecord?id=CVE-2019-10173", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-10173", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-10173", }, { category: "external", summary: "http://x-stream.github.io/changes.html#1.4.11", url: "http://x-stream.github.io/changes.html#1.4.11", }, ], release_date: "2018-10-23T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-12-19T17:37:50+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:4352", }, ], scores: [ { cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, products: [ "Red Hat Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "xstream: remote code execution due to insecure XML deserialization (regression of CVE-2013-7285)", }, { cve: "CVE-2019-12384", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2019-06-25T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1725807", }, ], notes: [ { category: "description", text: "A flaw was discovered in FasterXML jackson-databind in versions prior to 2.9.9. The vulnerability would permit polymorphic deserialization of malicious objects using the logback-core gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. Depending on the classpath content, remote code execution may be possible.", title: "Vulnerability description", }, { category: "summary", text: "jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution", title: "Vulnerability summary", }, { category: "other", text: "Red Hat OpenStack's OpenDaylight does not use logback in any supported configuration. Therefore, the prerequisites for this vulnerability are not present and OpenDaylight is not affected.\n\nThis vulnerability relies on logback-core (ch.qos.logback.core) being present in the application's ClassPath. Logback-core is not packaged as an RPM for Red Hat Enterprise Linux or Red Hat Software Collections. Applications using jackson-databind that do not also use logback-core are not impacted by this vulnerability.\n\nThis issue affects the versions of jackson-databind bundled with candlepin as shipped with Red Hat Satellite 6.x. However the affected code is NOT used at this time.", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat Fuse 6.3", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2019-12384", }, { category: "external", summary: "RHBZ#1725807", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1725807", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2019-12384", url: "https://www.cve.org/CVERecord?id=CVE-2019-12384", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2019-12384", url: "https://nvd.nist.gov/vuln/detail/CVE-2019-12384", }, ], release_date: "2019-06-21T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2019-12-19T17:37:50+00:00", details: "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nInstallation instructions are located in the download section of the customer portal.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat Fuse 6.3", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { category: "workaround", details: "The following conditions are needed for an exploit, we recommend avoiding all if possible:\n* Deserialization from sources you do not control\n* `enableDefaultTyping()`\n* `@JsonTypeInfo using `id.CLASS` or `id.MINIMAL_CLASS`", product_ids: [ "Red Hat Fuse 6.3", ], }, ], scores: [ { cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat Fuse 6.3", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution", }, ], }
cve-2019-0201
Vulnerability from cvelistv5
Published
2019-05-23 13:42
Modified
2024-08-04 17:44
Severity ?
Summary
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | Apache Software Foundation | Apache ZooKeeper |
Version: 1.0.0 to 3.4.13 Version: 3.5.0-alpha to 3.5.4-beta |
|
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T17:44:14.871Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "108427", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/108427", }, { name: "[debian-lts-announce] 20190524 [SECURITY] [DLA 1801-1] zookeeper security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html", }, { name: "[bookkeeper-issues] 20190531 [GitHub] [bookkeeper] eolivelli opened a new issue #2106: Update ZookKeeper dependency to 3.5.5", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[accumulo-commits] 20190605 [accumulo] branch 2.0 updated: Update ZooKeeper (CVE-2019-0201)", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a%40%3Ccommits.accumulo.apache.org%3E", }, { name: "DSA-4461", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2019/dsa-4461", }, { name: "20190612 [SECURITY] [DSA 4461-1] zookeeper security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Jun/13", }, { name: "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E", }, { name: "RHSA-2019:3140", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3140", }, { name: "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", }, { name: "RHSA-2019:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:4352", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://issues.apache.org/jira/browse/ZOOKEEPER-1392", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://zookeeper.apache.org/security.html#CVE-2019-0201", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20190619-0001/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "[hadoop-common-issues] 20210816 [GitHub] [hadoop] iwasakims opened a new pull request #3308: HADOOP-17850. Upgrade ZooKeeper to 3.4.14 in branch-3.2.", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b%40%3Ccommon-issues.hadoop.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Apache ZooKeeper", vendor: "Apache Software Foundation", versions: [ { status: "affected", version: "1.0.0 to 3.4.13", }, { status: "affected", version: "3.5.0-alpha to 3.5.4-beta", }, ], }, ], descriptions: [ { lang: "en", value: "An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.", }, ], problemTypes: [ { descriptions: [ { description: "Information Disclosure", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2021-08-16T12:06:09", orgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", shortName: "apache", }, references: [ { name: "108427", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/108427", }, { name: "[debian-lts-announce] 20190524 [SECURITY] [DLA 1801-1] zookeeper security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html", }, { name: "[bookkeeper-issues] 20190531 [GitHub] [bookkeeper] eolivelli opened a new issue #2106: Update ZookKeeper dependency to 3.5.5", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391%40%3Cissues.bookkeeper.apache.org%3E", }, { name: "[accumulo-commits] 20190605 [accumulo] branch 2.0 updated: Update ZooKeeper (CVE-2019-0201)", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a%40%3Ccommits.accumulo.apache.org%3E", }, { name: "DSA-4461", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2019/dsa-4461", }, { name: "20190612 [SECURITY] [DSA 4461-1] zookeeper security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "https://seclists.org/bugtraq/2019/Jun/13", }, { name: "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E", }, { name: "RHSA-2019:3140", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3140", }, { name: "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", }, { name: "RHSA-2019:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:4352", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_MISC", ], url: "https://issues.apache.org/jira/browse/ZOOKEEPER-1392", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://zookeeper.apache.org/security.html#CVE-2019-0201", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20190619-0001/", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "[hadoop-common-issues] 20210816 [GitHub] [hadoop] iwasakims opened a new pull request #3308: HADOOP-17850. Upgrade ZooKeeper to 3.4.14 in branch-3.2.", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b%40%3Ccommon-issues.hadoop.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "security@apache.org", ID: "CVE-2019-0201", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Apache ZooKeeper", version: { version_data: [ { version_value: "1.0.0 to 3.4.13", }, { version_value: "3.5.0-alpha to 3.5.4-beta", }, ], }, }, ], }, vendor_name: "Apache Software Foundation", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Information Disclosure", }, ], }, ], }, references: { reference_data: [ { name: "108427", refsource: "BID", url: "http://www.securityfocus.com/bid/108427", }, { name: "[debian-lts-announce] 20190524 [SECURITY] [DLA 1801-1] zookeeper security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html", }, { name: "[bookkeeper-issues] 20190531 [GitHub] [bookkeeper] eolivelli opened a new issue #2106: Update ZookKeeper dependency to 3.5.5", refsource: "MLIST", url: "https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391@%3Cissues.bookkeeper.apache.org%3E", }, { name: "[accumulo-commits] 20190605 [accumulo] branch 2.0 updated: Update ZooKeeper (CVE-2019-0201)", refsource: "MLIST", url: "https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a@%3Ccommits.accumulo.apache.org%3E", }, { name: "DSA-4461", refsource: "DEBIAN", url: "https://www.debian.org/security/2019/dsa-4461", }, { name: "20190612 [SECURITY] [DSA 4461-1] zookeeper security update", refsource: "BUGTRAQ", url: "https://seclists.org/bugtraq/2019/Jun/13", }, { name: "[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar", refsource: "MLIST", url: "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E", }, { name: "RHSA-2019:3140", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3140", }, { name: "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities", refsource: "MLIST", url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", }, { name: "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", refsource: "MLIST", url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E", }, { name: "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", refsource: "MLIST", url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E", }, { name: "RHSA-2019:3892", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:4352", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "https://www.oracle.com/security-alerts/cpujul2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { name: "https://issues.apache.org/jira/browse/ZOOKEEPER-1392", refsource: "MISC", url: "https://issues.apache.org/jira/browse/ZOOKEEPER-1392", }, { name: "https://zookeeper.apache.org/security.html#CVE-2019-0201", refsource: "CONFIRM", url: "https://zookeeper.apache.org/security.html#CVE-2019-0201", }, { name: "https://security.netapp.com/advisory/ntap-20190619-0001/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20190619-0001/", }, { name: "https://www.oracle.com/security-alerts/cpuoct2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { name: "https://www.oracle.com//security-alerts/cpujul2021.html", refsource: "MISC", url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, { name: "[hadoop-common-issues] 20210816 [GitHub] [hadoop] iwasakims opened a new pull request #3308: HADOOP-17850. Upgrade ZooKeeper to 3.4.14 in branch-3.2.", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b@%3Ccommon-issues.hadoop.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "f0158376-9dc2-43b6-827c-5f631a4d8d09", assignerShortName: "apache", cveId: "CVE-2019-0201", datePublished: "2019-05-23T13:42:47", dateReserved: "2018-11-14T00:00:00", dateUpdated: "2024-08-04T17:44:14.871Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-9512
Vulnerability from cvelistv5
Published
2019-08-13 20:50
Modified
2024-08-04 21:54
Severity ?
EPSS score ?
Summary
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T21:54:44.253Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "VU#605641", tags: [ "third-party-advisory", "x_refsource_CERT-VN", "x_transferred", ], url: "https://kb.cert.org/vuls/id/605641/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", }, { name: "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E", }, { name: "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E", }, { name: "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E", }, { name: "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Aug/24", }, { name: "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2019/Aug/16", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.synology.com/security/advisory/Synology_SA_19_33", }, { name: "20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Aug/31", }, { name: "DSA-4503", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2019/dsa-4503", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.f5.com/csp/article/K98053339", }, { name: "[oss-security] 20190819 [ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2019/08/20/1", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20190823-0001/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20190823-0004/", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20190823-0005/", }, { name: "openSUSE-SU-2019:2000", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html", }, { name: "FEDORA-2019-5a6a7bc12c", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/", }, { name: "FEDORA-2019-6a2980de56", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/", }, { name: "20190825 [SECURITY] [DSA 4508-1] h2o security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Aug/43", }, { name: "DSA-4508", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2019/dsa-4508", }, { name: "openSUSE-SU-2019:2056", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html", }, { name: "openSUSE-SU-2019:2072", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html", }, { name: "FEDORA-2019-55d101a740", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/", }, { name: "FEDORA-2019-65db7ad6c7", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/", }, { name: "openSUSE-SU-2019:2085", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html", }, { name: "RHSA-2019:2682", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2682", }, { name: "DSA-4520", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2019/dsa-4520", }, { name: "RHSA-2019:2726", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2726", }, { name: "20190910 [SECURITY] [DSA 4520-1] trafficserver security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Sep/18", }, { name: "RHSA-2019:2594", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2594", }, { name: "openSUSE-SU-2019:2114", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html", }, { name: "openSUSE-SU-2019:2115", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html", }, { name: "RHSA-2019:2661", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2661", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://kc.mcafee.com/corporate/index?page=content&id=SB10296", }, { name: "RHSA-2019:2690", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2690", }, { name: "RHSA-2019:2766", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2766", }, { name: "openSUSE-SU-2019:2130", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html", }, { name: "RHSA-2019:2796", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2796", }, { name: "RHSA-2019:2861", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2861", }, { name: "RHSA-2019:2925", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2925", }, { name: "RHSA-2019:2939", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2939", }, { name: "RHSA-2019:2955", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2955", }, { name: "RHSA-2019:2966", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2966", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.f5.com/csp/article/K98053339?utm_source=f5support&%3Butm_medium=RSS", }, { name: "RHSA-2019:3131", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3131", }, { name: "RHSA-2019:2769", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2769", }, { name: "RHSA-2019:3245", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3245", }, { name: "RHSA-2019:3265", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3265", }, { name: "RHSA-2019:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:3906", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3906", }, { name: "RHSA-2019:4018", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4018", }, { name: "RHSA-2019:4019", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4019", }, { name: "RHSA-2019:4021", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4021", }, { name: "RHSA-2019:4020", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4020", }, { name: "RHSA-2019:4045", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4045", }, { name: "RHSA-2019:4042", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4042", }, { name: "RHSA-2019:4040", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4040", }, { name: "RHSA-2019:4041", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4041", }, { name: "RHSA-2019:4269", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4269", }, { name: "RHSA-2019:4273", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4273", }, { name: "RHSA-2019:4352", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "RHSA-2020:0406", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2020:0406", }, { name: "RHSA-2020:0727", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { name: "USN-4308-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/4308-1/", }, { name: "[debian-lts-announce] 20201208 [SECURITY] [DLA 2485-1] golang-golang-x-net-dev security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2020/12/msg00011.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], credits: [ { lang: "en", value: "Thanks to Jonathan Looney of Netflix for reporting this vulnerability.", }, ], descriptions: [ { lang: "en", value: "Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400 Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2020-12-08T23:06:27", orgId: "37e5125f-f79b-445b-8fad-9564f167944b", shortName: "certcc", }, references: [ { name: "VU#605641", tags: [ "third-party-advisory", "x_refsource_CERT-VN", ], url: "https://kb.cert.org/vuls/id/605641/", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", }, { name: "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E", }, { name: "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E", }, { name: "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E", }, { name: "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "https://seclists.org/bugtraq/2019/Aug/24", }, { name: "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2019/Aug/16", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.synology.com/security/advisory/Synology_SA_19_33", }, { name: "20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "https://seclists.org/bugtraq/2019/Aug/31", }, { name: "DSA-4503", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2019/dsa-4503", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.f5.com/csp/article/K98053339", }, { name: "[oss-security] 20190819 [ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "http://www.openwall.com/lists/oss-security/2019/08/20/1", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20190823-0001/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20190823-0004/", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20190823-0005/", }, { name: "openSUSE-SU-2019:2000", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html", }, { name: "FEDORA-2019-5a6a7bc12c", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/", }, { name: "FEDORA-2019-6a2980de56", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/", }, { name: "20190825 [SECURITY] [DSA 4508-1] h2o security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "https://seclists.org/bugtraq/2019/Aug/43", }, { name: "DSA-4508", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2019/dsa-4508", }, { name: "openSUSE-SU-2019:2056", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html", }, { name: "openSUSE-SU-2019:2072", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html", }, { name: "FEDORA-2019-55d101a740", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/", }, { name: "FEDORA-2019-65db7ad6c7", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/", }, { name: "openSUSE-SU-2019:2085", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html", }, { name: "RHSA-2019:2682", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2682", }, { name: "DSA-4520", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2019/dsa-4520", }, { name: "RHSA-2019:2726", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2726", }, { name: "20190910 [SECURITY] [DSA 4520-1] trafficserver security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "https://seclists.org/bugtraq/2019/Sep/18", }, { name: "RHSA-2019:2594", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2594", }, { name: "openSUSE-SU-2019:2114", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html", }, { name: "openSUSE-SU-2019:2115", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html", }, { name: "RHSA-2019:2661", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2661", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://kc.mcafee.com/corporate/index?page=content&id=SB10296", }, { name: "RHSA-2019:2690", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2690", }, { name: "RHSA-2019:2766", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2766", }, { name: "openSUSE-SU-2019:2130", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html", }, { name: "RHSA-2019:2796", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2796", }, { name: "RHSA-2019:2861", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2861", }, { name: "RHSA-2019:2925", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2925", }, { name: "RHSA-2019:2939", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2939", }, { name: "RHSA-2019:2955", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2955", }, { name: "RHSA-2019:2966", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2966", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.f5.com/csp/article/K98053339?utm_source=f5support&%3Butm_medium=RSS", }, { name: "RHSA-2019:3131", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3131", }, { name: "RHSA-2019:2769", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2769", }, { name: "RHSA-2019:3245", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3245", }, { name: "RHSA-2019:3265", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3265", }, { name: "RHSA-2019:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:3906", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3906", }, { name: "RHSA-2019:4018", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4018", }, { name: "RHSA-2019:4019", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4019", }, { name: "RHSA-2019:4021", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4021", }, { name: "RHSA-2019:4020", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4020", }, { name: "RHSA-2019:4045", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4045", }, { name: "RHSA-2019:4042", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4042", }, { name: "RHSA-2019:4040", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4040", }, { name: "RHSA-2019:4041", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4041", }, { name: "RHSA-2019:4269", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4269", }, { name: "RHSA-2019:4273", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4273", }, { name: "RHSA-2019:4352", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "RHSA-2020:0406", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2020:0406", }, { name: "RHSA-2020:0727", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { name: "USN-4308-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/4308-1/", }, { name: "[debian-lts-announce] 20201208 [SECURITY] [DLA 2485-1] golang-golang-x-net-dev security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2020/12/msg00011.html", }, ], source: { discovery: "UNKNOWN", }, title: "Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service", x_generator: { engine: "Vulnogram 0.0.7", }, x_legacyV4Record: { CVE_data_meta: { AKA: "HTTP/2 Ping Flood", ASSIGNER: "cert@cert.org", ID: "CVE-2019-9512", STATE: "PUBLIC", TITLE: "Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, credit: [ { lang: "eng", value: "Thanks to Jonathan Looney of Netflix for reporting this vulnerability.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.", }, ], }, generator: { engine: "Vulnogram 0.0.7", }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-400 Uncontrolled Resource Consumption", }, ], }, ], }, references: { reference_data: [ { name: "VU#605641", refsource: "CERT-VN", url: "https://kb.cert.org/vuls/id/605641/", }, { name: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", refsource: "MISC", url: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", }, { name: "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", refsource: "MLIST", url: "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E", }, { name: "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", refsource: "MLIST", url: "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E", }, { name: "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E", }, { name: "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", refsource: "BUGTRAQ", url: "https://seclists.org/bugtraq/2019/Aug/24", }, { name: "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2019/Aug/16", }, { name: "https://www.synology.com/security/advisory/Synology_SA_19_33", refsource: "CONFIRM", url: "https://www.synology.com/security/advisory/Synology_SA_19_33", }, { name: "20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update", refsource: "BUGTRAQ", url: "https://seclists.org/bugtraq/2019/Aug/31", }, { name: "DSA-4503", refsource: "DEBIAN", url: "https://www.debian.org/security/2019/dsa-4503", }, { name: "https://support.f5.com/csp/article/K98053339", refsource: "CONFIRM", url: "https://support.f5.com/csp/article/K98053339", }, { name: "[oss-security] 20190819 [ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514", refsource: "MLIST", url: "http://www.openwall.com/lists/oss-security/2019/08/20/1", }, { name: "https://security.netapp.com/advisory/ntap-20190823-0001/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20190823-0001/", }, { name: "https://security.netapp.com/advisory/ntap-20190823-0004/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20190823-0004/", }, { name: "https://security.netapp.com/advisory/ntap-20190823-0005/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20190823-0005/", }, { name: "openSUSE-SU-2019:2000", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html", }, { name: "FEDORA-2019-5a6a7bc12c", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/", }, { name: "FEDORA-2019-6a2980de56", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/", }, { name: "20190825 [SECURITY] [DSA 4508-1] h2o security update", refsource: "BUGTRAQ", url: "https://seclists.org/bugtraq/2019/Aug/43", }, { name: "DSA-4508", refsource: "DEBIAN", url: "https://www.debian.org/security/2019/dsa-4508", }, { name: "openSUSE-SU-2019:2056", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html", }, { name: "openSUSE-SU-2019:2072", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html", }, { name: "FEDORA-2019-55d101a740", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/", }, { name: "FEDORA-2019-65db7ad6c7", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/", }, { name: "openSUSE-SU-2019:2085", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html", }, { name: "RHSA-2019:2682", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2682", }, { name: "DSA-4520", refsource: "DEBIAN", url: "https://www.debian.org/security/2019/dsa-4520", }, { name: "RHSA-2019:2726", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2726", }, { name: "20190910 [SECURITY] [DSA 4520-1] trafficserver security update", refsource: "BUGTRAQ", url: "https://seclists.org/bugtraq/2019/Sep/18", }, { name: "RHSA-2019:2594", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2594", }, { name: "openSUSE-SU-2019:2114", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html", }, { name: "openSUSE-SU-2019:2115", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html", }, { name: "RHSA-2019:2661", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2661", }, { name: "https://kc.mcafee.com/corporate/index?page=content&id=SB10296", refsource: "CONFIRM", url: "https://kc.mcafee.com/corporate/index?page=content&id=SB10296", }, { name: "RHSA-2019:2690", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2690", }, { name: "RHSA-2019:2766", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2766", }, { name: "openSUSE-SU-2019:2130", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html", }, { name: "RHSA-2019:2796", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2796", }, { name: "RHSA-2019:2861", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2861", }, { name: "RHSA-2019:2925", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2925", }, { name: "RHSA-2019:2939", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2939", }, { name: "RHSA-2019:2955", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2955", }, { name: "RHSA-2019:2966", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2966", }, { name: "https://support.f5.com/csp/article/K98053339?utm_source=f5support&utm_medium=RSS", refsource: "CONFIRM", url: "https://support.f5.com/csp/article/K98053339?utm_source=f5support&utm_medium=RSS", }, { name: "RHSA-2019:3131", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3131", }, { name: "RHSA-2019:2769", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2769", }, { name: "RHSA-2019:3245", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3245", }, { name: "RHSA-2019:3265", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3265", }, { name: "RHSA-2019:3892", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:3906", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3906", }, { name: "RHSA-2019:4018", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4018", }, { name: "RHSA-2019:4019", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4019", }, { name: "RHSA-2019:4021", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4021", }, { name: "RHSA-2019:4020", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4020", }, { name: "RHSA-2019:4045", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4045", }, { name: "RHSA-2019:4042", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4042", }, { name: "RHSA-2019:4040", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4040", }, { name: "RHSA-2019:4041", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4041", }, { name: "RHSA-2019:4269", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4269", }, { name: "RHSA-2019:4273", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4273", }, { name: "RHSA-2019:4352", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "RHSA-2020:0406", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2020:0406", }, { name: "RHSA-2020:0727", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { name: "USN-4308-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/4308-1/", }, { name: "[debian-lts-announce] 20201208 [SECURITY] [DLA 2485-1] golang-golang-x-net-dev security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2020/12/msg00011.html", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "37e5125f-f79b-445b-8fad-9564f167944b", assignerShortName: "certcc", cveId: "CVE-2019-9512", datePublished: "2019-08-13T20:50:59", dateReserved: "2019-03-01T00:00:00", dateUpdated: "2024-08-04T21:54:44.253Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-12384
Vulnerability from cvelistv5
Published
2019-06-24 15:34
Modified
2024-08-04 23:17
Severity ?
EPSS score ?
Summary
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T23:17:39.988Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "[debian-lts-announce] 20190621 [SECURITY] [DLA 1831-1] jackson-databind security update", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html", }, { name: "RHSA-2019:1820", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:1820", }, { name: "[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3E", }, { name: "[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9%40%3Cdev.tomee.apache.org%3E", }, { name: "[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3E", }, { name: "[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3E", }, { name: "[tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be%40%3Cdev.tomee.apache.org%3E", }, { name: "[tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319%40%3Cdev.tomee.apache.org%3E", }, { name: "[struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3E", }, { name: "[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1%40%3Cdev.tomee.apache.org%3E", }, { name: "[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b%40%3Cdev.tomee.apache.org%3E", }, { name: "RHSA-2019:2720", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2720", }, { name: "FEDORA-2019-99ff6aa32c", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/", }, { name: "[cassandra-commits] 20190919 [jira] [Created] (CASSANDRA-15328) Bump jackson version to >= 2.9.9.3 to address security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592%40%3Ccommits.cassandra.apache.org%3E", }, { name: "FEDORA-2019-ae6a703b8f", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/", }, { name: "FEDORA-2019-fb23eccc03", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/", }, { name: "RHSA-2019:2858", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2858", }, { name: "RHSA-2019:2937", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2937", }, { name: "RHSA-2019:2935", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2935", }, { name: "RHSA-2019:2936", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2936", }, { name: "RHSA-2019:2938", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2938", }, { name: "DSA-4542", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2019/dsa-4542", }, { name: "20191007 [SECURITY] [DSA 4542-1] jackson-databind security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Oct/6", }, { name: "[geode-notifications] 20191007 [GitHub] [geode] jmelchio commented on issue #4102: Fix for GEODE-7255: Pickup Jackson CVE fix", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe%40%3Cnotifications.geode.apache.org%3E", }, { name: "RHSA-2019:2998", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2998", }, { name: "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", }, { name: "RHSA-2019:3149", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3149", }, { name: "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", }, { name: "RHSA-2019:3200", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3200", }, { name: "RHSA-2019:3292", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3292", }, { name: "RHSA-2019:3297", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3297", }, { name: "[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E", }, { name: "RHSA-2019:3901", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3901", }, { name: "RHSA-2019:4352", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://doyensec.com/research.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20190703-0002/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://blog.doyensec.com/2019/07/22/jackson-gadgets.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], descriptions: [ { lang: "en", value: "FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-10-20T21:14:56", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { name: "[debian-lts-announce] 20190621 [SECURITY] [DLA 1831-1] jackson-databind security update", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html", }, { name: "RHSA-2019:1820", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:1820", }, { name: "[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9%40%3Cdev.tomee.apache.org%3E", }, { name: "[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9%40%3Cdev.tomee.apache.org%3E", }, { name: "[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4%40%3Cdev.tomee.apache.org%3E", }, { name: "[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d%40%3Cdev.tomee.apache.org%3E", }, { name: "[tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be%40%3Cdev.tomee.apache.org%3E", }, { name: "[tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319%40%3Cdev.tomee.apache.org%3E", }, { name: "[struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef%40%3Cdev.struts.apache.org%3E", }, { name: "[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1%40%3Cdev.tomee.apache.org%3E", }, { name: "[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b%40%3Cdev.tomee.apache.org%3E", }, { name: "RHSA-2019:2720", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2720", }, { name: "FEDORA-2019-99ff6aa32c", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/", }, { name: "[cassandra-commits] 20190919 [jira] [Created] (CASSANDRA-15328) Bump jackson version to >= 2.9.9.3 to address security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592%40%3Ccommits.cassandra.apache.org%3E", }, { name: "FEDORA-2019-ae6a703b8f", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/", }, { name: "FEDORA-2019-fb23eccc03", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/", }, { name: "RHSA-2019:2858", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2858", }, { name: "RHSA-2019:2937", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2937", }, { name: "RHSA-2019:2935", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2935", }, { name: "RHSA-2019:2936", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2936", }, { name: "RHSA-2019:2938", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2938", }, { name: "DSA-4542", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2019/dsa-4542", }, { name: "20191007 [SECURITY] [DSA 4542-1] jackson-databind security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "https://seclists.org/bugtraq/2019/Oct/6", }, { name: "[geode-notifications] 20191007 [GitHub] [geode] jmelchio commented on issue #4102: Fix for GEODE-7255: Pickup Jackson CVE fix", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe%40%3Cnotifications.geode.apache.org%3E", }, { name: "RHSA-2019:2998", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2998", }, { name: "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", }, { name: "RHSA-2019:3149", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3149", }, { name: "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", }, { name: "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", }, { name: "RHSA-2019:3200", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3200", }, { name: "RHSA-2019:3292", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3292", }, { name: "RHSA-2019:3297", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3297", }, { name: "[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E", }, { name: "RHSA-2019:3901", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3901", }, { name: "RHSA-2019:4352", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { tags: [ "x_refsource_MISC", ], url: "https://doyensec.com/research.html", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20190703-0002/", }, { tags: [ "x_refsource_MISC", ], url: "https://blog.doyensec.com/2019/07/22/jackson-gadgets.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2019-12384", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "[debian-lts-announce] 20190621 [SECURITY] [DLA 1831-1] jackson-databind security update", refsource: "MLIST", url: "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html", }, { name: "RHSA-2019:1820", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:1820", }, { name: "[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", refsource: "MLIST", url: "https://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E", }, { name: "[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", refsource: "MLIST", url: "https://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E", }, { name: "[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", refsource: "MLIST", url: "https://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E", }, { name: "[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", refsource: "MLIST", url: "https://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E", }, { name: "[tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E", }, { name: "[tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", refsource: "MLIST", url: "https://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E", }, { name: "[struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204", refsource: "MLIST", url: "https://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E", }, { name: "[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", refsource: "MLIST", url: "https://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E", }, { name: "[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439", refsource: "MLIST", url: "https://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E", }, { name: "RHSA-2019:2720", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2720", }, { name: "FEDORA-2019-99ff6aa32c", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/", }, { name: "[cassandra-commits] 20190919 [jira] [Created] (CASSANDRA-15328) Bump jackson version to >= 2.9.9.3 to address security vulnerabilities", refsource: "MLIST", url: "https://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E", }, { name: "FEDORA-2019-ae6a703b8f", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/", }, { name: "FEDORA-2019-fb23eccc03", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/", }, { name: "RHSA-2019:2858", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2858", }, { name: "RHSA-2019:2937", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2937", }, { name: "RHSA-2019:2935", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2935", }, { name: "RHSA-2019:2936", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2936", }, { name: "RHSA-2019:2938", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2938", }, { name: "DSA-4542", refsource: "DEBIAN", url: "https://www.debian.org/security/2019/dsa-4542", }, { name: "20191007 [SECURITY] [DSA 4542-1] jackson-databind security update", refsource: "BUGTRAQ", url: "https://seclists.org/bugtraq/2019/Oct/6", }, { name: "[geode-notifications] 20191007 [GitHub] [geode] jmelchio commented on issue #4102: Fix for GEODE-7255: Pickup Jackson CVE fix", refsource: "MLIST", url: "https://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe@%3Cnotifications.geode.apache.org%3E", }, { name: "RHSA-2019:2998", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2998", }, { name: "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities", refsource: "MLIST", url: "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", }, { name: "RHSA-2019:3149", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3149", }, { name: "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", refsource: "MLIST", url: "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E", }, { name: "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities", refsource: "MLIST", url: "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E", }, { name: "RHSA-2019:3200", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3200", }, { name: "RHSA-2019:3292", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3292", }, { name: "RHSA-2019:3297", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3297", }, { name: "[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E", }, { name: "RHSA-2019:3901", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3901", }, { name: "RHSA-2019:4352", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "[nifi-commits] 20200123 svn commit: r1873083 - /nifi/site/trunk/security.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E", }, { name: "https://www.oracle.com/security-alerts/cpuapr2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { name: "https://www.oracle.com/security-alerts/cpujul2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujul2020.html", }, { name: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", refsource: "MISC", url: "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", }, { name: "https://www.oracle.com/security-alerts/cpujan2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2020.html", }, { name: "https://doyensec.com/research.html", refsource: "MISC", url: "https://doyensec.com/research.html", }, { name: "https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad", refsource: "MISC", url: "https://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aad", }, { name: "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html", refsource: "CONFIRM", url: "https://lists.debian.org/debian-lts-announce/2019/06/msg00019.html", }, { name: "https://security.netapp.com/advisory/ntap-20190703-0002/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20190703-0002/", }, { name: "https://blog.doyensec.com/2019/07/22/jackson-gadgets.html", refsource: "MISC", url: "https://blog.doyensec.com/2019/07/22/jackson-gadgets.html", }, { name: "https://www.oracle.com/security-alerts/cpuoct2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2019-12384", datePublished: "2019-06-24T15:34:08", dateReserved: "2019-05-27T00:00:00", dateUpdated: "2024-08-04T23:17:39.988Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-9514
Vulnerability from cvelistv5
Published
2019-08-13 00:00
Modified
2024-08-04 21:54
Severity ?
EPSS score ?
Summary
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T21:54:44.511Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "VU#605641", tags: [ "third-party-advisory", "x_transferred", ], url: "https://kb.cert.org/vuls/id/605641/", }, { tags: [ "x_transferred", ], url: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", }, { name: "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E", }, { name: "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E", }, { name: "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E", }, { name: "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", tags: [ "mailing-list", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Aug/24", }, { name: "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", tags: [ "mailing-list", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2019/Aug/16", }, { tags: [ "x_transferred", ], url: "https://www.synology.com/security/advisory/Synology_SA_19_33", }, { name: "20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update", tags: [ "mailing-list", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Aug/31", }, { name: "DSA-4503", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2019/dsa-4503", }, { tags: [ "x_transferred", ], url: "https://support.f5.com/csp/article/K01988340", }, { name: "[oss-security] 20190819 [ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514", tags: [ "mailing-list", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2019/08/20/1", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20190823-0001/", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20190823-0004/", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20190823-0005/", }, { name: "openSUSE-SU-2019:2000", tags: [ "vendor-advisory", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html", }, { name: "FEDORA-2019-5a6a7bc12c", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/", }, { name: "FEDORA-2019-6a2980de56", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/", }, { name: "20190825 [SECURITY] [DSA 4508-1] h2o security update", tags: [ "mailing-list", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Aug/43", }, { name: "DSA-4508", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2019/dsa-4508", }, { name: "openSUSE-SU-2019:2056", tags: [ "vendor-advisory", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html", }, { name: "openSUSE-SU-2019:2072", tags: [ "vendor-advisory", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html", }, { name: "FEDORA-2019-55d101a740", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/", }, { name: "FEDORA-2019-65db7ad6c7", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/", }, { name: "openSUSE-SU-2019:2085", tags: [ "vendor-advisory", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html", }, { name: "RHSA-2019:2682", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2682", }, { name: "DSA-4520", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2019/dsa-4520", }, { name: "RHSA-2019:2726", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2726", }, { name: "20190910 [SECURITY] [DSA 4520-1] trafficserver security update", tags: [ "mailing-list", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Sep/18", }, { name: "RHSA-2019:2594", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2594", }, { name: "openSUSE-SU-2019:2114", tags: [ "vendor-advisory", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html", }, { name: "openSUSE-SU-2019:2115", tags: [ "vendor-advisory", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html", }, { name: "RHSA-2019:2661", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2661", }, { tags: [ "x_transferred", ], url: "https://kc.mcafee.com/corporate/index?page=content&id=SB10296", }, { name: "RHSA-2019:2690", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2690", }, { name: "RHSA-2019:2766", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2766", }, { name: "openSUSE-SU-2019:2130", tags: [ "vendor-advisory", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html", }, { name: "RHSA-2019:2796", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2796", }, { name: "RHSA-2019:2861", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2861", }, { name: "RHSA-2019:2925", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2925", }, { name: "RHSA-2019:2939", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2939", }, { name: "RHSA-2019:2955", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2955", }, { name: "RHSA-2019:2966", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2966", }, { tags: [ "x_transferred", ], url: "https://support.f5.com/csp/article/K01988340?utm_source=f5support&%3Butm_medium=RSS", }, { name: "RHSA-2019:3131", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3131", }, { name: "RHSA-2019:2769", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2769", }, { name: "RHSA-2019:3245", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3245", }, { name: "RHSA-2019:3265", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3265", }, { name: "RHSA-2019:3892", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:3906", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3906", }, { name: "RHSA-2019:4018", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4018", }, { name: "RHSA-2019:4019", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4019", }, { name: "RHSA-2019:4021", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4021", }, { name: "RHSA-2019:4020", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4020", }, { name: "RHSA-2019:4045", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4045", }, { name: "RHSA-2019:4042", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4042", }, { name: "RHSA-2019:4040", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4040", }, { name: "RHSA-2019:4041", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4041", }, { name: "RHSA-2019:4269", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4269", }, { name: "RHSA-2019:4273", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4273", }, { name: "RHSA-2019:4352", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "RHSA-2020:0406", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2020:0406", }, { name: "RHSA-2020:0727", tags: [ "vendor-advisory", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { name: "USN-4308-1", tags: [ "vendor-advisory", "x_transferred", ], url: "https://usn.ubuntu.com/4308-1/", }, { name: "DSA-4669", tags: [ "vendor-advisory", "x_transferred", ], url: "https://www.debian.org/security/2020/dsa-4669", }, { name: "[debian-lts-announce] 20201208 [SECURITY] [DLA 2485-1] golang-golang-x-net-dev security update", tags: [ "mailing-list", "x_transferred", ], url: "https://lists.debian.org/debian-lts-announce/2020/12/msg00011.html", }, { name: "[oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations", tags: [ "mailing-list", "x_transferred", ], url: "http://www.openwall.com/lists/oss-security/2023/10/18/8", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], credits: [ { lang: "en", value: "Thanks to Jonathan Looney of Netflix for reporting this vulnerability.", }, ], descriptions: [ { lang: "en", value: "Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400 Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-10-19T02:06:30.169190", orgId: "37e5125f-f79b-445b-8fad-9564f167944b", shortName: "certcc", }, references: [ { name: "VU#605641", tags: [ "third-party-advisory", ], url: "https://kb.cert.org/vuls/id/605641/", }, { url: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", }, { name: "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E", }, { name: "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E", }, { name: "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", tags: [ "mailing-list", ], url: "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E", }, { name: "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", tags: [ "mailing-list", ], url: "https://seclists.org/bugtraq/2019/Aug/24", }, { name: "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", tags: [ "mailing-list", ], url: "http://seclists.org/fulldisclosure/2019/Aug/16", }, { url: "https://www.synology.com/security/advisory/Synology_SA_19_33", }, { name: "20190819 [SECURITY] [DSA 4503-1] golang-1.11 security update", tags: [ "mailing-list", ], url: "https://seclists.org/bugtraq/2019/Aug/31", }, { name: "DSA-4503", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2019/dsa-4503", }, { url: "https://support.f5.com/csp/article/K01988340", }, { name: "[oss-security] 20190819 [ANNOUNCE] Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514", tags: [ "mailing-list", ], url: "http://www.openwall.com/lists/oss-security/2019/08/20/1", }, { url: "https://security.netapp.com/advisory/ntap-20190823-0001/", }, { url: "https://security.netapp.com/advisory/ntap-20190823-0004/", }, { url: "https://security.netapp.com/advisory/ntap-20190823-0005/", }, { name: "openSUSE-SU-2019:2000", tags: [ "vendor-advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00076.html", }, { name: "FEDORA-2019-5a6a7bc12c", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/", }, { name: "FEDORA-2019-6a2980de56", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/", }, { name: "20190825 [SECURITY] [DSA 4508-1] h2o security update", tags: [ "mailing-list", ], url: "https://seclists.org/bugtraq/2019/Aug/43", }, { name: "DSA-4508", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2019/dsa-4508", }, { name: "openSUSE-SU-2019:2056", tags: [ "vendor-advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00002.html", }, { name: "openSUSE-SU-2019:2072", tags: [ "vendor-advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00011.html", }, { name: "FEDORA-2019-55d101a740", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LYO6E3H34C346D2E443GLXK7OK6KIYIQ/", }, { name: "FEDORA-2019-65db7ad6c7", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4BBP27PZGSY6OP6D26E5FW4GZKBFHNU7/", }, { name: "openSUSE-SU-2019:2085", tags: [ "vendor-advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00021.html", }, { name: "RHSA-2019:2682", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2682", }, { name: "DSA-4520", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2019/dsa-4520", }, { name: "RHSA-2019:2726", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2726", }, { name: "20190910 [SECURITY] [DSA 4520-1] trafficserver security update", tags: [ "mailing-list", ], url: "https://seclists.org/bugtraq/2019/Sep/18", }, { name: "RHSA-2019:2594", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2594", }, { name: "openSUSE-SU-2019:2114", tags: [ "vendor-advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html", }, { name: "openSUSE-SU-2019:2115", tags: [ "vendor-advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html", }, { name: "RHSA-2019:2661", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2661", }, { url: "https://kc.mcafee.com/corporate/index?page=content&id=SB10296", }, { name: "RHSA-2019:2690", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2690", }, { name: "RHSA-2019:2766", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2766", }, { name: "openSUSE-SU-2019:2130", tags: [ "vendor-advisory", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00038.html", }, { name: "RHSA-2019:2796", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2796", }, { name: "RHSA-2019:2861", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2861", }, { name: "RHSA-2019:2925", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2925", }, { name: "RHSA-2019:2939", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2939", }, { name: "RHSA-2019:2955", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2955", }, { name: "RHSA-2019:2966", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2966", }, { url: "https://support.f5.com/csp/article/K01988340?utm_source=f5support&%3Butm_medium=RSS", }, { name: "RHSA-2019:3131", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:3131", }, { name: "RHSA-2019:2769", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:2769", }, { name: "RHSA-2019:3245", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:3245", }, { name: "RHSA-2019:3265", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:3265", }, { name: "RHSA-2019:3892", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:3906", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:3906", }, { name: "RHSA-2019:4018", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:4018", }, { name: "RHSA-2019:4019", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:4019", }, { name: "RHSA-2019:4021", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:4021", }, { name: "RHSA-2019:4020", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:4020", }, { name: "RHSA-2019:4045", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:4045", }, { name: "RHSA-2019:4042", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:4042", }, { name: "RHSA-2019:4040", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:4040", }, { name: "RHSA-2019:4041", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:4041", }, { name: "RHSA-2019:4269", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:4269", }, { name: "RHSA-2019:4273", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:4273", }, { name: "RHSA-2019:4352", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "RHSA-2020:0406", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2020:0406", }, { name: "RHSA-2020:0727", tags: [ "vendor-advisory", ], url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { name: "USN-4308-1", tags: [ "vendor-advisory", ], url: "https://usn.ubuntu.com/4308-1/", }, { name: "DSA-4669", tags: [ "vendor-advisory", ], url: "https://www.debian.org/security/2020/dsa-4669", }, { name: "[debian-lts-announce] 20201208 [SECURITY] [DLA 2485-1] golang-golang-x-net-dev security update", tags: [ "mailing-list", ], url: "https://lists.debian.org/debian-lts-announce/2020/12/msg00011.html", }, { name: "[oss-security] 20231018 Re: CVE-2023-44487: HTTP/2 Rapid Reset attack against many implementations", tags: [ "mailing-list", ], url: "http://www.openwall.com/lists/oss-security/2023/10/18/8", }, ], source: { discovery: "UNKNOWN", }, title: "Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service", x_generator: { engine: "Vulnogram 0.0.7", }, }, }, cveMetadata: { assignerOrgId: "37e5125f-f79b-445b-8fad-9564f167944b", assignerShortName: "certcc", cveId: "CVE-2019-9514", datePublished: "2019-08-13T00:00:00", dateReserved: "2019-03-01T00:00:00", dateUpdated: "2024-08-04T21:54:44.511Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-9518
Vulnerability from cvelistv5
Published
2019-08-13 20:50
Modified
2024-08-04 21:54
Severity ?
EPSS score ?
Summary
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T21:54:44.510Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "VU#605641", tags: [ "third-party-advisory", "x_refsource_CERT-VN", "x_transferred", ], url: "https://kb.cert.org/vuls/id/605641/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", }, { name: "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Aug/24", }, { name: "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2019/Aug/16", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.synology.com/security/advisory/Synology_SA_19_33", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.f5.com/csp/article/K46011592", }, { name: "[trafficserver-announce] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d%40%3Cannounce.trafficserver.apache.org%3E", }, { name: "[trafficserver-users] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61%40%3Cusers.trafficserver.apache.org%3E", }, { name: "[trafficserver-dev] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107%40%3Cdev.trafficserver.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20190823-0005/", }, { name: "FEDORA-2019-5a6a7bc12c", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/", }, { name: "FEDORA-2019-6a2980de56", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/", }, { name: "DSA-4520", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2019/dsa-4520", }, { name: "20190910 [SECURITY] [DSA 4520-1] trafficserver security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Sep/18", }, { name: "openSUSE-SU-2019:2114", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html", }, { name: "openSUSE-SU-2019:2115", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://kc.mcafee.com/corporate/index?page=content&id=SB10296", }, { name: "RHSA-2019:2925", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2925", }, { name: "RHSA-2019:2939", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2939", }, { name: "RHSA-2019:2955", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2955", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.f5.com/csp/article/K46011592?utm_source=f5support&%3Butm_medium=RSS", }, { name: "RHSA-2019:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E", }, { name: "RHSA-2019:4352", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "RHSA-2020:0727", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { name: "[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/r99a625fb17032646d96cd23dec49603ff630e9318e44a686d63046bc%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/rd31230d01fa6aad18bdadc0720acd1747e53690bd35f73a48e7a9b75%40%3Ccommits.cassandra.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], credits: [ { lang: "en", value: "Thanks to Piotr Sikora of Google for reporting this vulnerability.", }, ], descriptions: [ { lang: "en", value: "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400 Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-05-26T16:06:12", orgId: "37e5125f-f79b-445b-8fad-9564f167944b", shortName: "certcc", }, references: [ { name: "VU#605641", tags: [ "third-party-advisory", "x_refsource_CERT-VN", ], url: "https://kb.cert.org/vuls/id/605641/", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", }, { name: "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "https://seclists.org/bugtraq/2019/Aug/24", }, { name: "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2019/Aug/16", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.synology.com/security/advisory/Synology_SA_19_33", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.f5.com/csp/article/K46011592", }, { name: "[trafficserver-announce] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d%40%3Cannounce.trafficserver.apache.org%3E", }, { name: "[trafficserver-users] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61%40%3Cusers.trafficserver.apache.org%3E", }, { name: "[trafficserver-dev] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107%40%3Cdev.trafficserver.apache.org%3E", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20190823-0005/", }, { name: "FEDORA-2019-5a6a7bc12c", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/", }, { name: "FEDORA-2019-6a2980de56", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/", }, { name: "DSA-4520", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2019/dsa-4520", }, { name: "20190910 [SECURITY] [DSA 4520-1] trafficserver security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "https://seclists.org/bugtraq/2019/Sep/18", }, { name: "openSUSE-SU-2019:2114", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html", }, { name: "openSUSE-SU-2019:2115", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://kc.mcafee.com/corporate/index?page=content&id=SB10296", }, { name: "RHSA-2019:2925", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2925", }, { name: "RHSA-2019:2939", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2939", }, { name: "RHSA-2019:2955", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2955", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.f5.com/csp/article/K46011592?utm_source=f5support&%3Butm_medium=RSS", }, { name: "RHSA-2019:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E", }, { name: "RHSA-2019:4352", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "RHSA-2020:0727", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { name: "[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/r99a625fb17032646d96cd23dec49603ff630e9318e44a686d63046bc%40%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/rd31230d01fa6aad18bdadc0720acd1747e53690bd35f73a48e7a9b75%40%3Ccommits.cassandra.apache.org%3E", }, ], source: { discovery: "UNKNOWN", }, title: "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service", x_generator: { engine: "Vulnogram 0.0.7", }, x_legacyV4Record: { CVE_data_meta: { AKA: "HTTP/2 Empty Frame Flooding", ASSIGNER: "cert@cert.org", ID: "CVE-2019-9518", STATE: "PUBLIC", TITLE: "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, credit: [ { lang: "eng", value: "Thanks to Piotr Sikora of Google for reporting this vulnerability.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.", }, ], }, generator: { engine: "Vulnogram 0.0.7", }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-400 Uncontrolled Resource Consumption", }, ], }, ], }, references: { reference_data: [ { name: "VU#605641", refsource: "CERT-VN", url: "https://kb.cert.org/vuls/id/605641/", }, { name: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", refsource: "MISC", url: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", }, { name: "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", refsource: "BUGTRAQ", url: "https://seclists.org/bugtraq/2019/Aug/24", }, { name: "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2019/Aug/16", }, { name: "https://www.synology.com/security/advisory/Synology_SA_19_33", refsource: "CONFIRM", url: "https://www.synology.com/security/advisory/Synology_SA_19_33", }, { name: "https://support.f5.com/csp/article/K46011592", refsource: "CONFIRM", url: "https://support.f5.com/csp/article/K46011592", }, { name: "[trafficserver-announce] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames", refsource: "MLIST", url: "https://lists.apache.org/thread.html/2653c56545573b528f3f6352a29eccaf498bd6fb2a6a59568d81a61d@%3Cannounce.trafficserver.apache.org%3E", }, { name: "[trafficserver-users] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames", refsource: "MLIST", url: "https://lists.apache.org/thread.html/091b518265bce56a16af87b77c8cfacda902a02079e866f9fdf13b61@%3Cusers.trafficserver.apache.org%3E", }, { name: "[trafficserver-dev] 20190820 ATS is vulnerable to a HTTP/2 attack with empty frames", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ff5b0821a6985159a832ff6d1a4bd311ac07ecc7db1e2d8bab619107@%3Cdev.trafficserver.apache.org%3E", }, { name: "https://security.netapp.com/advisory/ntap-20190823-0005/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20190823-0005/", }, { name: "FEDORA-2019-5a6a7bc12c", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/", }, { name: "FEDORA-2019-6a2980de56", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/", }, { name: "DSA-4520", refsource: "DEBIAN", url: "https://www.debian.org/security/2019/dsa-4520", }, { name: "20190910 [SECURITY] [DSA 4520-1] trafficserver security update", refsource: "BUGTRAQ", url: "https://seclists.org/bugtraq/2019/Sep/18", }, { name: "openSUSE-SU-2019:2114", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html", }, { name: "openSUSE-SU-2019:2115", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html", }, { name: "https://kc.mcafee.com/corporate/index?page=content&id=SB10296", refsource: "CONFIRM", url: "https://kc.mcafee.com/corporate/index?page=content&id=SB10296", }, { name: "RHSA-2019:2925", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2925", }, { name: "RHSA-2019:2939", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2939", }, { name: "RHSA-2019:2955", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2955", }, { name: "https://support.f5.com/csp/article/K46011592?utm_source=f5support&utm_medium=RSS", refsource: "CONFIRM", url: "https://support.f5.com/csp/article/K46011592?utm_source=f5support&utm_medium=RSS", }, { name: "RHSA-2019:3892", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "[druid-commits] 20191115 [GitHub] [incubator-druid] ccaominh opened a new pull request #8878: Address security vulnerabilities", refsource: "MLIST", url: "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E", }, { name: "RHSA-2019:4352", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "RHSA-2020:0727", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { name: "[cassandra-commits] 20210526 [jira] [Created] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty", refsource: "MLIST", url: "https://lists.apache.org/thread.html/r99a625fb17032646d96cd23dec49603ff630e9318e44a686d63046bc@%3Ccommits.cassandra.apache.org%3E", }, { name: "[cassandra-commits] 20210526 [jira] [Updated] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty", refsource: "MLIST", url: "https://lists.apache.org/thread.html/rd31230d01fa6aad18bdadc0720acd1747e53690bd35f73a48e7a9b75@%3Ccommits.cassandra.apache.org%3E", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "37e5125f-f79b-445b-8fad-9564f167944b", assignerShortName: "certcc", cveId: "CVE-2019-9518", datePublished: "2019-08-13T20:50:59", dateReserved: "2019-03-01T00:00:00", dateUpdated: "2024-08-04T21:54:44.510Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-9515
Vulnerability from cvelistv5
Published
2019-08-13 20:50
Modified
2024-08-04 21:54
Severity ?
EPSS score ?
Summary
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T21:54:44.327Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "VU#605641", tags: [ "third-party-advisory", "x_refsource_CERT-VN", "x_transferred", ], url: "https://kb.cert.org/vuls/id/605641/", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", }, { name: "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E", }, { name: "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E", }, { name: "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E", }, { name: "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Aug/24", }, { name: "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", tags: [ "mailing-list", "x_refsource_FULLDISC", "x_transferred", ], url: "http://seclists.org/fulldisclosure/2019/Aug/16", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.synology.com/security/advisory/Synology_SA_19_33", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.f5.com/csp/article/K50233772", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20190823-0005/", }, { name: "FEDORA-2019-5a6a7bc12c", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/", }, { name: "FEDORA-2019-6a2980de56", tags: [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/", }, { name: "20190825 [SECURITY] [DSA 4508-1] h2o security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Aug/43", }, { name: "DSA-4508", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2019/dsa-4508", }, { name: "DSA-4520", tags: [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred", ], url: "https://www.debian.org/security/2019/dsa-4520", }, { name: "20190910 [SECURITY] [DSA 4520-1] trafficserver security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", "x_transferred", ], url: "https://seclists.org/bugtraq/2019/Sep/18", }, { name: "openSUSE-SU-2019:2114", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html", }, { name: "openSUSE-SU-2019:2115", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://kc.mcafee.com/corporate/index?page=content&id=SB10296", }, { name: "RHSA-2019:2766", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2766", }, { name: "RHSA-2019:2796", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2796", }, { name: "RHSA-2019:2861", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2861", }, { name: "RHSA-2019:2925", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2925", }, { name: "RHSA-2019:2939", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2939", }, { name: "RHSA-2019:2955", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:2955", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://support.f5.com/csp/article/K50233772?utm_source=f5support&%3Butm_medium=RSS", }, { name: "RHSA-2019:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:4018", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4018", }, { name: "RHSA-2019:4019", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4019", }, { name: "RHSA-2019:4021", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4021", }, { name: "RHSA-2019:4020", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4020", }, { name: "RHSA-2019:4045", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4045", }, { name: "RHSA-2019:4042", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4042", }, { name: "RHSA-2019:4040", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4040", }, { name: "RHSA-2019:4041", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4041", }, { name: "RHSA-2019:4352", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "RHSA-2020:0727", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { name: "USN-4308-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/4308-1/", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], credits: [ { lang: "en", value: "Thanks to Jonathan Looney of Netflix for reporting this vulnerability.", }, ], descriptions: [ { lang: "en", value: "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400 Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2020-03-30T21:06:04", orgId: "37e5125f-f79b-445b-8fad-9564f167944b", shortName: "certcc", }, references: [ { name: "VU#605641", tags: [ "third-party-advisory", "x_refsource_CERT-VN", ], url: "https://kb.cert.org/vuls/id/605641/", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", }, { name: "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7%40%3Cdev.trafficserver.apache.org%3E", }, { name: "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04%40%3Cusers.trafficserver.apache.org%3E", }, { name: "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19%40%3Cannounce.trafficserver.apache.org%3E", }, { name: "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "https://seclists.org/bugtraq/2019/Aug/24", }, { name: "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", tags: [ "mailing-list", "x_refsource_FULLDISC", ], url: "http://seclists.org/fulldisclosure/2019/Aug/16", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.synology.com/security/advisory/Synology_SA_19_33", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.f5.com/csp/article/K50233772", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://security.netapp.com/advisory/ntap-20190823-0005/", }, { name: "FEDORA-2019-5a6a7bc12c", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/", }, { name: "FEDORA-2019-6a2980de56", tags: [ "vendor-advisory", "x_refsource_FEDORA", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/", }, { name: "20190825 [SECURITY] [DSA 4508-1] h2o security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "https://seclists.org/bugtraq/2019/Aug/43", }, { name: "DSA-4508", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2019/dsa-4508", }, { name: "DSA-4520", tags: [ "vendor-advisory", "x_refsource_DEBIAN", ], url: "https://www.debian.org/security/2019/dsa-4520", }, { name: "20190910 [SECURITY] [DSA 4520-1] trafficserver security update", tags: [ "mailing-list", "x_refsource_BUGTRAQ", ], url: "https://seclists.org/bugtraq/2019/Sep/18", }, { name: "openSUSE-SU-2019:2114", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html", }, { name: "openSUSE-SU-2019:2115", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://kc.mcafee.com/corporate/index?page=content&id=SB10296", }, { name: "RHSA-2019:2766", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2766", }, { name: "RHSA-2019:2796", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2796", }, { name: "RHSA-2019:2861", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2861", }, { name: "RHSA-2019:2925", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2925", }, { name: "RHSA-2019:2939", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2939", }, { name: "RHSA-2019:2955", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:2955", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://support.f5.com/csp/article/K50233772?utm_source=f5support&%3Butm_medium=RSS", }, { name: "RHSA-2019:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:4018", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4018", }, { name: "RHSA-2019:4019", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4019", }, { name: "RHSA-2019:4021", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4021", }, { name: "RHSA-2019:4020", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4020", }, { name: "RHSA-2019:4045", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4045", }, { name: "RHSA-2019:4042", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4042", }, { name: "RHSA-2019:4040", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4040", }, { name: "RHSA-2019:4041", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4041", }, { name: "RHSA-2019:4352", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "RHSA-2020:0727", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { name: "USN-4308-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/4308-1/", }, ], source: { discovery: "UNKNOWN", }, title: "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service", x_generator: { engine: "Vulnogram 0.0.7", }, x_legacyV4Record: { CVE_data_meta: { AKA: "HTTP/2 Settings Flood", ASSIGNER: "cert@cert.org", ID: "CVE-2019-9515", STATE: "PUBLIC", TITLE: "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, credit: [ { lang: "eng", value: "Thanks to Jonathan Looney of Netflix for reporting this vulnerability.", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.", }, ], }, generator: { engine: "Vulnogram 0.0.7", }, impact: { cvss: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-400 Uncontrolled Resource Consumption", }, ], }, ], }, references: { reference_data: [ { name: "VU#605641", refsource: "CERT-VN", url: "https://kb.cert.org/vuls/id/605641/", }, { name: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", refsource: "MISC", url: "https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md", }, { name: "[trafficserver-dev] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", refsource: "MLIST", url: "https://lists.apache.org/thread.html/bde52309316ae798186d783a5e29f4ad1527f61c9219a289d0eee0a7@%3Cdev.trafficserver.apache.org%3E", }, { name: "[trafficserver-users] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", refsource: "MLIST", url: "https://lists.apache.org/thread.html/392108390cef48af647a2e47b7fd5380e050e35ae8d1aa2030254c04@%3Cusers.trafficserver.apache.org%3E", }, { name: "[trafficserver-announce] 20190813 Apache Traffic Server is vulnerable to various HTTP/2 attacks", refsource: "MLIST", url: "https://lists.apache.org/thread.html/ad3d01e767199c1aed8033bb6b3f5bf98c011c7c536f07a5d34b3c19@%3Cannounce.trafficserver.apache.org%3E", }, { name: "20190814 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", refsource: "BUGTRAQ", url: "https://seclists.org/bugtraq/2019/Aug/24", }, { name: "20190816 APPLE-SA-2019-08-13-5 SwiftNIO HTTP/2 1.5.0", refsource: "FULLDISC", url: "http://seclists.org/fulldisclosure/2019/Aug/16", }, { name: "https://www.synology.com/security/advisory/Synology_SA_19_33", refsource: "CONFIRM", url: "https://www.synology.com/security/advisory/Synology_SA_19_33", }, { name: "https://support.f5.com/csp/article/K50233772", refsource: "CONFIRM", url: "https://support.f5.com/csp/article/K50233772", }, { name: "https://security.netapp.com/advisory/ntap-20190823-0005/", refsource: "CONFIRM", url: "https://security.netapp.com/advisory/ntap-20190823-0005/", }, { name: "FEDORA-2019-5a6a7bc12c", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CMNFX5MNYRWWIMO4BTKYQCGUDMHO3AXP/", }, { name: "FEDORA-2019-6a2980de56", refsource: "FEDORA", url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4ZQGHE3WTYLYAYJEIDJVF2FIGQTAYPMC/", }, { name: "20190825 [SECURITY] [DSA 4508-1] h2o security update", refsource: "BUGTRAQ", url: "https://seclists.org/bugtraq/2019/Aug/43", }, { name: "DSA-4508", refsource: "DEBIAN", url: "https://www.debian.org/security/2019/dsa-4508", }, { name: "DSA-4520", refsource: "DEBIAN", url: "https://www.debian.org/security/2019/dsa-4520", }, { name: "20190910 [SECURITY] [DSA 4520-1] trafficserver security update", refsource: "BUGTRAQ", url: "https://seclists.org/bugtraq/2019/Sep/18", }, { name: "openSUSE-SU-2019:2114", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00032.html", }, { name: "openSUSE-SU-2019:2115", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00031.html", }, { name: "https://kc.mcafee.com/corporate/index?page=content&id=SB10296", refsource: "CONFIRM", url: "https://kc.mcafee.com/corporate/index?page=content&id=SB10296", }, { name: "RHSA-2019:2766", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2766", }, { name: "RHSA-2019:2796", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2796", }, { name: "RHSA-2019:2861", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2861", }, { name: "RHSA-2019:2925", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2925", }, { name: "RHSA-2019:2939", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2939", }, { name: "RHSA-2019:2955", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:2955", }, { name: "https://support.f5.com/csp/article/K50233772?utm_source=f5support&utm_medium=RSS", refsource: "CONFIRM", url: "https://support.f5.com/csp/article/K50233772?utm_source=f5support&utm_medium=RSS", }, { name: "RHSA-2019:3892", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:4018", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4018", }, { name: "RHSA-2019:4019", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4019", }, { name: "RHSA-2019:4021", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4021", }, { name: "RHSA-2019:4020", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4020", }, { name: "RHSA-2019:4045", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4045", }, { name: "RHSA-2019:4042", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4042", }, { name: "RHSA-2019:4040", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4040", }, { name: "RHSA-2019:4041", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4041", }, { name: "RHSA-2019:4352", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "RHSA-2020:0727", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { name: "USN-4308-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/4308-1/", }, ], }, source: { discovery: "UNKNOWN", }, }, }, }, cveMetadata: { assignerOrgId: "37e5125f-f79b-445b-8fad-9564f167944b", assignerShortName: "certcc", cveId: "CVE-2019-9515", datePublished: "2019-08-13T20:50:59", dateReserved: "2019-03-01T00:00:00", dateUpdated: "2024-08-04T21:54:44.327Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2019-10173
Vulnerability from cvelistv5
Published
2019-07-23 12:50
Modified
2024-08-04 22:10
Severity ?
EPSS score ?
Summary
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
References
▼ | URL | Tags |
---|---|---|
https://access.redhat.com/errata/RHSA-2019:3892 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2019:4352 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2020:0445 | vendor-advisory, x_refsource_REDHAT | |
https://access.redhat.com/errata/RHSA-2020:0727 | vendor-advisory, x_refsource_REDHAT | |
https://www.oracle.com/security-alerts/cpuapr2020.html | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpuoct2020.html | x_refsource_MISC | |
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173 | x_refsource_CONFIRM | |
http://x-stream.github.io/changes.html#1.4.11 | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpujan2021.html | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpuApr2021.html | x_refsource_MISC | |
https://www.oracle.com//security-alerts/cpujul2021.html | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T22:10:10.018Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2019:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:4352", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "RHSA-2020:0445", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2020:0445", }, { name: "RHSA-2020:0727", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://x-stream.github.io/changes.html#1.4.11", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "xstream", vendor: "xstream", versions: [ { status: "affected", version: "fixed in 1.4.11", }, ], }, ], descriptions: [ { lang: "en", value: "It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.3, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-94", description: "CWE-94", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-07-20T22:53:25", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2019:3892", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:4352", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "RHSA-2020:0445", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2020:0445", }, { name: "RHSA-2020:0727", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173", }, { tags: [ "x_refsource_MISC", ], url: "http://x-stream.github.io/changes.html#1.4.11", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2019-10173", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "xstream", version: { version_data: [ { version_value: "fixed in 1.4.11", }, ], }, }, ], }, vendor_name: "xstream", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)", }, ], }, impact: { cvss: [ [ { vectorString: "7.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, ], ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-94", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2019:3892", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:3892", }, { name: "RHSA-2019:4352", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2019:4352", }, { name: "RHSA-2020:0445", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2020:0445", }, { name: "RHSA-2020:0727", refsource: "REDHAT", url: "https://access.redhat.com/errata/RHSA-2020:0727", }, { name: "https://www.oracle.com/security-alerts/cpuapr2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuapr2020.html", }, { name: "https://www.oracle.com/security-alerts/cpuoct2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173", refsource: "CONFIRM", url: "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10173", }, { name: "http://x-stream.github.io/changes.html#1.4.11", refsource: "MISC", url: "http://x-stream.github.io/changes.html#1.4.11", }, { name: "https://www.oracle.com/security-alerts/cpujan2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpujan2021.html", }, { name: "https://www.oracle.com/security-alerts/cpuApr2021.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuApr2021.html", }, { name: "https://www.oracle.com//security-alerts/cpujul2021.html", refsource: "MISC", url: "https://www.oracle.com//security-alerts/cpujul2021.html", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2019-10173", datePublished: "2019-07-23T12:50:44", dateReserved: "2019-03-27T00:00:00", dateUpdated: "2024-08-04T22:10:10.018Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.