You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "Ethern Su (Jira)" <ji...@apache.org> on 2021/05/26 06:13:00 UTC

[jira] [Created] (CASSANDRA-16698) Security vulnerability CVE-2019-9518 for Netty

Ethern Su created CASSANDRA-16698:
-------------------------------------

             Summary: Security vulnerability CVE-2019-9518 for Netty
                 Key: CASSANDRA-16698
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-16698
             Project: Cassandra
          Issue Type: Bug
            Reporter: Ethern Su


*Cassandra Version: 3.11.10*

*Description :* 
*Severity:* NVD CVSS:3.1 7.5 High

*Affecting Package*: netty-all 4.0.44.Final

*Source:* National Vulnerability Database

*Explanation from NVD:* Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.

*Recommendation:* Upgrade package io.netty#netty-all to version 4.1.39.Final or above.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org