PSIRT Advisory

HTTP/2 Multiple DoS Attacks (VU#605641)

Summary

Improper implementations of the HTTP/2 protocol can lead to a variety denial-of-service (DoS) attacks.


The related CVEs are:

CVE-2019-9511, also known as Data Dribble

CVE-2019-9512, also known as Ping Flood

CVE-2019-9513, also known as Resource Loop

CVE-2019-9514, also known as Reset Flood

CVE-2019-9515, also known as Settings Flood

CVE-2019-9516, also known as 0-Length Headers Leak

CVE-2019-9517, also known as Internal Data Buffering

CVE-2019-9518, also known as Empty Frame Flooding

Impact

Denial of Service (DoS)

Affected Products

The following products have been confirmed to NOT be vulnerable to any of the above:


FortiOS

FortiAP

FortiSwitch

FortiAnalyzer

FortiWeb

FortiManager

FortiMail