HTTP2: Microsoft Windows HTTP2 Ping Flood Denial of Service

A denial of service vulnerability has been reported in Microsoft Windows. The vulnerability is due to resource exhaustion when continually sending HTTP2 Ping frames to the web server. A remote unauthenticated attacker can exploit this vulnerability by sending a flood of HTTP2 Ping frames. Successful exploitation could cause a denial of service conditions on the target system.

Extended Description

Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Affected Products

Nodejs node.js

References

CVE: CVE-2019-9512

URL: https://github.com/netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

Short Name

HTTP2:PING-FLOOD-DOS

Severity

Major

Recommended

False

Recommended Action

None

HTTP2: Microsoft Windows HTTP2 Ping Flood Denial of Service

Extended Description

Affected Products

References

Found a potential security threat?