This release serves as a replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.29 SP2, and includes security and bug fixes. Refer to the Release Notes for information on the component upgrades included in this release.

Security Fix(es):

mod_http2: HTTP/2: 0-length headers leads to denial of service (CVE-2019-9516)
mod_http2: HTTP/2: request for large response leads to denial of service (CVE-2019-9517)

Bug Fix(es):

nghttp2: Rebase to 1.39.2

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

nessus 54

fedora 8

openvas 27

oraclelinux 3

amazon 2

redhat 16

f5 1

debiancve 2

nvd 3

cbl_mariner 1

prion 3

httpd 1

cvelist 3

alpinelinux 2

ubuntucve 2

symantec 1

osv 8

veracode 2

redhatcve 2

cve 3

nginx 1

ibm 25

altlinux 1

suse 3

myhack58 1

threatpost 1

almalinux 2

cloudfoundry 1

freebsd 3

fortinet 1

nodejsblog 1

rocky 2

mageia 2

debian 1

archlinux 2

ubuntu 1

hackerone 1

cert 1

apple 2

githubexploit 1

slackware 1

kaspersky 1

nessus

Fedora 29 : mod_http2 (2019-4427fd65be) (0-Length Headers Leak) (Data Dribble) (Internal Data Buffering)

2019-08-30 00:00:00

Fedora 30 : mod_http2 (2019-63ba15cc83) (0-Length Headers Leak) (Data Dribble) (Internal Data Buffering)

2019-09-03 00:00:00

Amazon Linux 2 : mod_http2 (ALAS-2019-1342) (0-Length Headers Leak) (Data Dribble) (Internal Data Buffering)

2019-10-31 00:00:00

fedora

[SECURITY] Fedora 30 Update: mod_http2-1.15.3-2.fc30

2019-08-30 14:21:13

[SECURITY] Fedora 29 Update: mod_http2-1.15.3-2.fc29

2019-08-30 00:51:34

[SECURITY] Fedora 30 Update: nodejs-10.16.3-1.fc30

2019-08-25 00:58:04

openvas

Fedora Update for mod_http2 FEDORA-2019-63ba15cc83

2019-08-31 00:00:00

Fedora Update for mod_http2 FEDORA-2019-4427fd65be

2019-08-31 00:00:00

Apache HTTP Server 2.4.20 - 2.4.39 Multiple Vulnerabilities - Linux

2019-10-18 00:00:00

oraclelinux

httpd:2.4 security update

2019-09-24 00:00:00

nodejs:10 security update

2019-09-30 00:00:00

nginx:1.14 security update

2019-09-19 00:00:00

amazon

Important: mod_http2

2019-10-28 17:43:00

Important: nginx

2019-09-30 21:06:00

redhat

(RHSA-2019:2946) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 SP3 security update

2019-10-01 10:18:36

(RHSA-2019:2893) Important: httpd:2.4 security update

2019-09-24 13:40:44

(RHSA-2019:2955) Important: rh-nodejs8-nodejs security update

2019-10-02 13:56:16

K02591030 : HTTP/2 vulnerabilities CVE-2019-9511, CVE-2019-9513, CVE-2019-9516, and CVE-2019-9517

2019-08-20 00:00:00

debiancve

CVE-2019-9517

2019-08-13 21:15:12

CVE-2019-9516

2019-08-13 21:15:12

nvd

CVE-2019-9517

2019-08-13 21:15:12

CVE-2019-9516

2019-08-13 21:15:12

CVE-2019-3644

2019-09-11 15:15:11

cbl_mariner

CVE-2019-9516 affecting package nginx 1.16.1-2

2021-06-14 15:32:58

prion

Code injection

2019-08-13 21:15:00

Design/Logic Flaw

2019-08-13 21:15:00

Code injection

2019-09-11 15:15:00

httpd

Apache Httpd < 2.4.41 : mod_http2, DoS attack by exhausting h2 workers.

2019-04-10 00:00:00

cvelist

CVE-2019-9517 Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service

2019-08-13 20:50:59

CVE-2019-9516 Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service

2019-08-13 20:50:59

CVE-2019-3644 MWG scanners updated to address CVE-2019-9517

2019-09-11 14:08:37

alpinelinux

CVE-2019-9516

2019-08-13 21:15:12

CVE-2019-9517

2019-08-13 21:15:12

ubuntucve

CVE-2019-9516

2019-08-13 00:00:00

CVE-2019-9517

2019-08-13 00:00:00

symantec

HTTP/2 CVE-2019-9517 Remote Denial of Service Vulnerability

2019-08-13 00:00:00

osv

CVE-2019-9517

2019-08-13 21:15:12

CVE-2019-9516

2019-08-13 21:15:12

Important: nodejs:10 security update

2019-09-30 07:07:29

veracode

Denial Of Service (DoS)

2019-09-13 00:40:24

Denial Of Service (DoS)

2019-10-01 00:17:28

redhatcve

CVE-2019-9517

2021-03-21 00:51:26

CVE-2019-9516

2019-10-29 09:51:47

cve

CVE-2019-9517

2019-08-13 21:15:12

CVE-2019-9516

2019-08-13 21:15:12

CVE-2019-3644

2019-09-11 15:15:11

nginx

Excessive memory usage in HTTP/2 with zero length headers

2019-08-13 21:15:12

ibm

Security Bulletin: Multiple Security Vulnerabilities affect IBM Cloud Private Kubernetes

2019-11-23 16:58:10

Security Bulletin: A security vulnerability has been identified in nginx shipped with PowerAI Vision

2020-01-08 18:55:26

Security Bulletin: Aspera Web Application (Faspex, Console, Orchestrator, Shares) are affected by Apache vulnerabilities (CVE-2019-9517, CVE-2019-10097)

2020-02-07 02:17:54

altlinux

Security fix for the ALT Linux 10 package node version 10.16.3-alt1

2019-08-30 00:00:00

suse

Security update for nodejs10 (important)

2019-09-11 00:00:00

Security update for nodejs8 (important)

2019-09-11 00:00:00

Security update for nginx (moderate)

2019-10-06 00:00:00

myhack58

HTTP/2 denial of service attack vulnerability alerts-a vulnerability alert-the black bar safety net

2019-08-14 00:00:00

threatpost

HTTP Bugs Open Websites to DoS Attacks

2019-08-15 19:20:38

almalinux

Important: nodejs:10 security update

2019-09-30 07:07:29

Important: nginx:1.14 security update

2019-09-17 08:45:10

cloudfoundry

Various HTTP2 CVEs: Some Cloud Foundry products are impacted by HTTP denial of service attacks | Cloud Foundry

2019-12-03 00:00:00

freebsd

Node.js -- multiple vulnerabilities

2019-08-16 00:00:00

NGINX -- Multiple vulnerabilities

2019-08-13 00:00:00

Apache -- Multiple vulnerabilities

2019-08-14 00:00:00

fortinet

HTTP/2 Multiple DoS Attacks (VU#605641)

2019-09-03 00:00:00

nodejsblog

August 2019 Security Releases

2019-08-16 00:00:00

rocky

nodejs:10 security update

2019-09-30 07:07:29

nginx:1.14 security update

2019-09-17 08:45:10

mageia

Updated nginx packages fix security vulnerabilities

2019-11-30 16:06:06

Updated apache packages fix security vulnerabilities

2019-12-25 22:08:41

debian

[SECURITY] [DSA 4505-1] nginx security update

2019-08-22 19:38:21

archlinux

[ASA-201908-13] nginx: denial of service

2019-08-16 00:00:00

[ASA-201908-12] nginx-mainline: denial of service

2019-08-16 00:00:00

ubuntu

nginx vulnerabilities

2019-08-15 00:00:00

hackerone

Localize: Nginx version is disclosed in HTTP response

2020-01-26 21:54:31

cert

HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion

2019-08-13 00:00:00

apple

About the security content of SwiftNIO HTTP/2 1.5.0

2019-08-13 00:00:00

About the security content of SwiftNIO HTTP/2 1.5.0 - Apple Support

2019-08-13 06:09:21

githubexploit

Exploit for Uncontrolled Resource Consumption in F5 Nginx

2020-12-22 10:16:11

slackware

[slackware-security] httpd

2020-03-31 19:45:57

kaspersky

KLA12366 Multiple vulnerabilities in Apache HTTP Server

2019-08-14 00:00:00

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.035

Percentile

91.7%

JSON

Related for RHSA-2019:2950