Ethern Su created CASSANDRA-16698:
-------------------------------------
Summary: Security vulnerability CVE-2019-9518 for Netty
Key: CASSANDRA-16698
URL: https://issues.apache.org/jira/browse/CASSANDRA-16698
Project: Cassandra
Issue Type: Bug
Reporter: Ethern Su
*Cassandra Version: 3.11.10*
*Description :*
*Severity:* NVD CVSS:3.1 7.5 High
*Affecting Package*: netty-all 4.0.44.Final
*Source:* National Vulnerability Database
*Explanation from NVD:* Some HTTP/2 implementations are vulnerable to a flood
of empty frames, potentially leading to a denial of service. The attacker sends
a stream of frames with an empty payload and without the end-of-stream flag.
These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer
spends time processing each frame disproportionate to attack bandwidth. This
can consume excess CPU.
*Recommendation:* Upgrade package io.netty#netty-all to version 4.1.39.Final or
above.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
