CVE-2019-9511

Name of the Vulnerable Software and Affected Versions HTTP/2 implementations (affected versions not specified) nginx (affected versions not specified) Node.js (affected versions not specified) Apache HTTP Server (affected versions not specified) Windows (affected versions not specified)

Description The issue is related to window size manipulation and stream prioritization manipulation in HTTP/2 implementations, potentially leading to a denial of service. An attacker can request a large amount of data from a specified resource over multiple streams, manipulating window size and stream priority to force the server to queue the data in 1-byte chunks. This can consume excess CPU, memory, or both, depending on how efficiently the data is queued.

Recommendations For HTTP/2 implementations, consider disabling the HTTP/2 protocol until a patch is available. For nginx, restrict access to the HTTP/2 module to minimize the risk of exploitation. For Node.js, avoid using the HTTP/2 module in production environments until the issue is resolved. For Apache HTTP Server, consider disabling the HTTP/2 protocol or restricting access to the affected module to minimize the risk of exploitation. For Windows, apply configuration changes to restrict the use of HTTP/2 or disable it temporarily until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.