CVE-2019-9518 (High) detected in multiple libraries - autoclosed

## CVE-2019-9518 - High Severity Vulnerability
<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Libraries - netty-codec-http2-4.1.15.Final.jar, netty-codec-http2-4.1.12.Final.jar, netty-codec-http2-4.1.32.Final.jar, netty-codec-http2-4.1.29.Final.jar, netty-codec-http2-4.1.8.Final.jar, netty-all-4.1.9.Final.jar</summary>


<details><summary>netty-codec-http2-4.1.15.Final.jar</summary>

Netty is an asynchronous event-driven network application framework for
 rapid development of maintainable high performance protocol servers and
 clients.
Library home page: <a href="http://netty.io/">http://netty.io/</a>
Path to dependency file: /dd-java-agent/instrumentation/vertx-rx-3.5/vertx-rx-3.5.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.15.Final/4fd3b955b53ee80ef8d872dcdb53aea9f8f47a77/netty-codec-http2-4.1.15.Final.jar


Dependency Hierarchy:
 - vertx-rx-java2-3.5.0.jar (Root Library)
 - vertx-core-3.5.0.jar
 - :x: **netty-codec-http2-4.1.15.Final.jar** (Vulnerable Library)
</details>
<details><summary>netty-codec-http2-4.1.12.Final.jar</summary>

Netty is an asynchronous event-driven network application framework for
 rapid development of maintainable high performance protocol servers and
 clients.
Library home page: <a href="http://netty.io/">http://netty.io/</a>
Path to dependency file: /dd-java-agent/instrumentation/grpc-1.5/grpc-1.5.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.12.Final/5373bd1a7b61f4620a3c421ee999f6142d8aa06d/netty-codec-http2-4.1.12.Final.jar


Dependency Hierarchy:
 - grpc-netty-1.5.0.jar (Root Library)
 - :x: **netty-codec-http2-4.1.12.Final.jar** (Vulnerable Library)
</details>
<details><summary>netty-codec-http2-4.1.32.Final.jar</summary>

Netty is an asynchronous event-driven network application framework for
 rapid development of maintainable high performance protocol servers and
 clients.
Library home page: <a href="http://netty.io/">http://netty.io/</a>
Path to dependency file: /dd-java-agent/instrumentation/aws-java-sdk-2.2/aws-java-sdk-2.2.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.32.Final/d14eb053a1f96d3330ec48e77d489118d547557a/netty-codec-http2-4.1.32.Final.jar


Dependency Hierarchy:
 - kinesis-2.2.0.jar (Root Library)
 - netty-nio-client-2.2.0.jar
 - :x: **netty-codec-http2-4.1.32.Final.jar** (Vulnerable Library)
</details>
<details><summary>netty-codec-http2-4.1.29.Final.jar</summary>

Netty is an asynchronous event-driven network application framework for
 rapid development of maintainable high performance protocol servers and
 clients.
Library home page: <a href="http://netty.io/">http://netty.io/</a>
Path to dependency file: /dd-java-agent/instrumentation/netty-4.1/netty-4.1.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.29.Final/e573656f141a54f808ba482213a3abca2f2c6e6d/netty-codec-http2-4.1.29.Final.jar


Dependency Hierarchy:
 - reactor-netty-0.8.0.RELEASE.jar (Root Library)
 - :x: **netty-codec-http2-4.1.29.Final.jar** (Vulnerable Library)
</details>
<details><summary>netty-codec-http2-4.1.8.Final.jar</summary>

Netty is an asynchronous event-driven network application framework for
 rapid development of maintainable high performance protocol servers and
 clients.
Library home page: <a href="http://netty.io/">http://netty.io/</a>
Path to dependency file: /dd-java-agent/instrumentation/finatra-2.9/finatra-2.9.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.8.Final/105a99ee5767463370ccc3d2e16800bd99f5648e/netty-codec-http2-4.1.8.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.8.Final/105a99ee5767463370ccc3d2e16800bd99f5648e/netty-codec-http2-4.1.8.Final.jar


Dependency Hierarchy:
 - vertx-web-3.4.0.jar (Root Library)
 - vertx-core-3.4.0.jar
 - :x: **netty-codec-http2-4.1.8.Final.jar** (Vulnerable Library)
</details>
<details><summary>netty-all-4.1.9.Final.jar</summary>

Netty is an asynchronous event-driven network application framework for
 rapid development of maintainable high performance protocol servers and
 clients.
Library home page: <a href="http://netty.io/">http://netty.io/</a>
Path to dependency file: /dd-java-agent/instrumentation/java-concurrent/java-concurrent.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/io.netty/netty-all/4.1.9.Final/97860965d6a0a6b98e7f569f3f966727b8db75/netty-all-4.1.9.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-all/4.1.9.Final/97860965d6a0a6b98e7f569f3f966727b8db75/netty-all-4.1.9.Final.jar


Dependency Hierarchy:
 - :x: **netty-all-4.1.9.Final.jar** (Vulnerable Library)
</details>

Found in HEAD commit: <a href="https://github.com/KDWSS/dd-trace-java/commit/2819174635979a19573ec0ce8e3e2b63a3848079">2819174635979a19573ec0ce8e3e2b63a3848079</a>
Found in base branch: master

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> Vulnerability Details</summary>
 
 
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.

Publish Date: 2019-08-13
URL: <a href=https://www.mend.io/vulnerability-database/CVE-2019-9518>CVE-2019-9518</a>

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS 3 Score Details (7.5)</summary>


Base Score Metrics:
- Exploitability Metrics:
 - Attack Vector: Network
 - Attack Complexity: Low
 - Privileges Required: None
 - User Interaction: None
 - Scope: Unchanged
- Impact Metrics:
 - Confidentiality Impact: None
 - Integrity Impact: None
 - Availability Impact: High

For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>.

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/suggested_fix.png' width=19 height=20> Suggested Fix</summary>


Type: Upgrade version
Origin: <a href="https://netty.io/news/2019/08/13/4-1-39-Final.html">https://netty.io/news/2019/08/13/4-1-39-Final.html</a>
Release Date: 2019-08-13
Fix Resolution (io.netty:netty-codec-http2): 4.1.39.Final
Direct dependency fix Resolution (io.vertx:vertx-rx-java2): 3.5.4Fix Resolution (io.netty:netty-codec-http2): 4.1.39.Final
Direct dependency fix Resolution (io.grpc:grpc-netty): 1.23.1Fix Resolution (io.netty:netty-codec-http2): 4.1.39.Final
Direct dependency fix Resolution (software.amazon.awssdk:kinesis): 2.8.0Fix Resolution (io.netty:netty-codec-http2): 4.1.39.Final
Direct dependency fix Resolution (io.projectreactor.netty:reactor-netty): 0.8.11.RELEASEFix Resolution (io.netty:netty-codec-http2): 4.1.39.Final
Direct dependency fix Resolution (io.vertx:vertx-web): 3.5.0


</details>


***
:rescue_worker_helmet: Automatic Remediation is available for this issue

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2019-9518 (High) detected in multiple libraries - autoclosed #125

CVE-2019-9518 - High Severity Vulnerability

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

CVE-2019-9518 (High) detected in multiple libraries - autoclosed #125

Description

CVE-2019-9518 - High Severity Vulnerability

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions