CVE-2019-9517

Name of the Vulnerable Software and Affected Versions Apache Traffic Server versions (affected versions not specified) Apache HTTP Server versions (affected versions not specified) Node.js versions (affected versions not specified)

Description The issue is related to errors in the mechanism controlling resource expenditure in HTTP/2 implementations, potentially leading to a denial of service. An attacker can exploit this by opening the HTTP/2 window, allowing the peer to send without constraint, while keeping the TCP window closed, preventing the peer from writing bytes on the wire. The attacker then sends a stream of requests for a large response object, which can consume excess memory, CPU, or both, depending on how servers queue responses.

Recommendations For Apache Traffic Server, update to a version that includes a fix for the HTTP/2 implementation issue. For Apache HTTP Server, consider disabling the HTTP/2 protocol until a patch is available. For Node.js, restrict access to the HTTP/2 module to minimize the risk of exploitation. As a temporary workaround, consider limiting the size of response objects to prevent excessive memory or CPU consumption. Avoid using the HTTP/2 protocol in affected versions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.