[jira] [Updated] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty

Brandon Williams (Jira) Wed, 26 May 2021 08:08:07 -0700


     [ 
https://issues.apache.org/jira/browse/CASSANDRA-16698?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Brandon Williams updated CASSANDRA-16698:
-----------------------------------------
    Resolution: Not A Problem
        Status: Resolved  (was: Triage Needed)

Cassandra does not use an HTTP transport.

> Security vulnerability CVE-2019-9518 for Netty
> ----------------------------------------------
>
>                 Key: CASSANDRA-16698
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-16698
>             Project: Cassandra
>          Issue Type: Bug
>            Reporter: Ethern Su
>            Priority: Normal
>
> *Cassandra Version: 3.11.10*
> *Description :* 
> *Severity:* NVD CVSS:3.1 7.5 High
> *Affecting Package*: netty-all 4.0.44.Final
> *Source:* National Vulnerability Database
> *Explanation from NVD:* Some HTTP/2 implementations are vulnerable to a flood 
> of empty frames, potentially leading to a denial of service. The attacker 
> sends a stream of frames with an empty payload and without the end-of-stream 
> flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. 
> The peer spends time processing each frame disproportionate to attack 
> bandwidth. This can consume excess CPU.
> *Recommendation:* Upgrade package io.netty#netty-all to version 4.1.39.Final 
> or above.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Updated] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty

Reply via email to