Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
From: Daniel Ruggeri <druggeri@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies


CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.17 to 2.4.37

Description:
By sending request bodies in a slow loris way to plain 
resources, the h2 stream for that request unnecessarily
occupied a server thread cleaning up that incoming data.
This affects only HTTP/2 (mod_http2) connections in 
Apache HTTP Server versions 2.4.37 and prior.

Mitigation:
All httpd users deploying mod_http2 should upgrade to 2.4.38 or later.

Credit:
The issue was discovered by Gal Goldshtein of F5 Networks.

References:
https://httpd.apache.org/security/vulnerabilities_24.html

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.