[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames

I'm confused.

Why are there no changes to mod_http2 mentioned in: http://www.apache.org/dist//httpd/CHANGES_2.4.35 to presumably address this CVE?
Or does one of the other changes cover this? (No as far as I can see but could be wrong).
In previous changes files (e.g. http://www.apache.org/dist//httpd/CHANGES_2.4.34) these were listed at the top of the changes file.

Also should this not be mentioned in: https://httpd.apache.org/security/vulnerabilities_24.html?
Apologies if I've jumped the gun and this is still in progress.

I imagine CVEs are of special notice so think this should be corrected ASAP if possible.


From: Daniel Ruggeri <druggeri@xxxxxxxxxx>
Sent: 25 September 2018 15:08
To: announce@xxxxxxxxxxxxxxxx; security@xxxxxxxxxxxxxxxx; oss-security@xxxxxxxxxxxxxxxxxx
Subject: CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames

CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.17 to 2.4.34

By sending continuous, large SETTINGS frames a client can occupy a
connection, server thread and CPU time without any connection timeout
coming to effect.
This affects only HTTP/2 connections. A possible mitigation is to
not enable the h2 protocol.

All httpd users should upgrade to 2.4.35 or later.

The issue was discovered by Gal Goldshtein of F5 Networks.