CVE-2019-9514

Description

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.

How to fix CVE-2019-9514

To remediate CVE-2019-9514, upgrade the affected package to a fixed version below.

• —upgrade to 10.16.3-r0 or later
• —upgrade to 0.3.24 or later
• —upgrade to 2.2.5+dfsg2-3 or later
• —upgrade to 10.16.3~dfsg-1 or later
• —no fix listed
• —upgrade to 8.0.5+ds-1 or later

Is CVE-2019-9514 being exploited?

Moderate — EPSS is 9.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (6)

• from 0, < 10.16.3-r0
• >= 0.0.0-0, < 0.3.24, >= 0.4.0-0, < 0.4.2
• from 0, < 2.2.5+dfsg2-3
• from 0, < 10.16.3~dfsg-1
• from 0
• from 0, < 8.0.5+ds-1

CVSS scores

References (5)

• ADVISORYgithub.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
• ADVISORYrustsec.org/advisories/RUSTSEC-2024-0003.html
• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2019-9514
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2019-9514