...
This table lists vendors and products affected by a set of vulnerabilities in multiple HTTP/2 implementations. For more information see VU#605641 and , NFLX-2019-002, and vendor-specific references in the table.
Matrix
Vendor | Product | Affected Versions | Data Dribble | Ping Flood | Resource Loop | Reset Flood | Settings Flood | 0-Length Headers Leak | Internal Data Buffering | Empty Frames Flood | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
F5 | NGINX | 1.15.8 | Affected Addressed in | N | Y | N | N | Y | N | N | |||||||||
Go 1.12 (before Go 1.11.13 and Go 1.12.8) | N | Y | N | Y | N | N | N | N | |||||||||||
Netty Project | Netty | 4.1.27 | Not affected | Affected | Not affected | Affected | Affected https://netty.io/news/2019/08/13/4-1-39-Final.html | Not affected | Not affected | Affected https://netty.io/news/2019/08/13/4-1-39-Final.html | |||||||||
Apache 2.4.38 | 2.4.38 | N | N | N | N | N | Y | ||||||||||||
Apache Tomcat 9.0.13 (w/ FreeBSD native library 1.2.16) | N | N | Borderline | N | N | N | |||||||||||||
node.js 11.11.0 + libnghttp2 1.35.1 | Y | N | Y | Y | N | Y/N | N | ||||||||||||
Microsoft IIS | Y | Y | Y | Y | N | N | N | Windows | Windows 10 Windows Server 2016 and 2019 Windows Server, version 1803 and version 1903 | Affected https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-9511 | Affected https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-9512 | Affected https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-9513 | Affected https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-9514 | Not affected | Not affected | N | Affected https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-9518 Y | ||
gRPC C 1.21.0 | N | N | N | Y | Y | N | N | ||||||||||||
gRPC Java 1.21.0 (uses Netty) | N | N | N | N | Y | N | N | ||||||||||||
gRPC Go 1.21.0 | N | N | N | Y | Y | N | N | ||||||||||||
Swift | SwiftNIO HTTP/2 (swift-nio-http2) | 1.0.0 | , and 1.4.0 | .1, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.4.0N | Y | N | Y | Y | Y | N | inclusive | Not affected | Affected https://forums.swift.org/t/swiftnio-http-2-security-notice/27855 | Not affected | Affected https://forums.swift.org/t/swiftnio-http-2-security-notice/27855 | Affected https://forums.swift.org/t/swiftnio-http-2-security-notice/27855 | Affected https://forums.swift.org/t/swiftnio-http-2-security-notice/27855 | Not affected | Affected https://forums.swift.org/t/swiftnio-http-2-security-notice/27855Y |
hyper-2 (Python) | N | N | N | N | N | N | |||||||||||||
Twisted 16.3.0, 16.3.1, 16.3.2, 16.4.0, 16.4.1, 16.5.0, 16.6.0, 17.1.0, 17.5.0, 17.9.0, 18.4.0, 18.7.0, 18.9.0, 19.2.0, 19.2.1, 19.7.0 | N | Y | N | Y | N | N | N | ||||||||||||
nghttp2 | Y | N | Y | N | N | N | N | ||||||||||||
Apache Traffic Server | N | Y | N | Y | Y | N | N | ||||||||||||
Envoy | Envoy | Prior to 1.11.1 | Not affected | Affected https://groups.google.com/forum/#!topic/envoy-announce/ZLchtraPYVk | Affected https://groups.google.com/forum/#!topic/envoy-announce/ZLchtraPYVk | Affected https://groups.google.com/forum/#!topic/envoy-announce/ZLchtraPYVk | Affected https://groups.google.com/forum/#!topic/envoy-announce/ZLchtraPYVk | Not affected | Not affected | Affected https://groups.google.com/forum/#!topic/envoy-announce/ZLchtraPYVk | |||||||||
proxygen | N | Y | Y | Y | Y | N | N |
...