PSIRT

HTTP/2 Multiple DoS Attacks (VU#605641)

Summary

Improper implementations of the HTTP/2 protocol can lead to a variety denial-of-service (DoS) attacks.

The related CVEs are:

CVE-2019-9511, also known as Data Dribble

CVE-2019-9512, also known as Ping Flood

CVE-2019-9513, also known as Resource Loop

CVE-2019-9514, also known as Reset Flood

CVE-2019-9515, also known as Settings Flood

CVE-2019-9516, also known as 0-Length Headers Leak

CVE-2019-9517, also known as Internal Data Buffering

CVE-2019-9518, also known as Empty Frame Flooding

Affected Products

The following products have been confirmed to NOT be vulnerable to any of the above:
FortiOS
FortiAP
FortiSwitch
FortiAnalyzer
FortiWeb
FortiManager
FortiMail

References

https://kb.cert.org/vuls/id/605641/

IR Number	FG-IR-19-225
Date	Sep 3, 2019
Severity	Medium
CVSSv3 Score	0
Impact	Denial of Service (DoS)
CVE ID	CVE-2019-9511 CVE-2019-9512 CVE-2019-9513 CVE-2019-9514 CVE-2019-9515 CVE-2019-9516 CVE-2019-9517 CVE-2019-9518
CVRF	Download

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

PSIRT

HTTP/2 Multiple DoS Attacks (VU#605641)

Summary

Affected Products

References

News/Research

Research Center

PSIRT Center

Services

By Outbreak

By Solution

By Product

Protect

Detect

Respond

Recover

Identify

Network Security

Endpoint Security

Application Security

Security Operations

Threat Intelligence Center

Resource Center

About

FortiGuard Labs

Partners

PSIRT

HTTP/2 Multiple DoS Attacks (VU#605641)

Summary

Affected Products

References

Threat Intelligence
Center