CVE-2018-11763

MEDIUM

Description

In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.

References

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html

http://www.securityfocus.com/bid/105414

http://www.securitytracker.com/id/1041713

https://access.redhat.com/errata/RHSA-2018:3558

https://access.redhat.com/errata/RHSA-2019:0366

https://access.redhat.com/errata/RHSA-2019:0367

https://httpd.apache.org/security/vulnerabilities_24.html

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r9f93cf6dde30[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://security.netapp.com/advisory/ntap-20190204-0004/

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us

https://usn.ubuntu.com/3783-1/

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.tenable.com/security/tns-2019-09

Details

Source: MITRE

Published: 2018-09-25

Updated: 2021-03-30

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 2.2

Severity: MEDIUM

Tenable Plugins

View all (26 total)

IDNameProductFamilySeverity
131476EulerOS Virtualization for ARM 64 3.0.3.0 : httpd (EulerOS-SA-2019-2311)NessusHuawei Local Security Checks
high
127734openSUSE Security Update : virtualbox (openSUSE-2019-1814)NessusSuSE Local Security Checks
medium
125844openSUSE Security Update : virtualbox (openSUSE-2019-1547)NessusSuSE Local Security Checks
medium
125147Oracle Enterprise Manager Ops Center (Apr 2019 CPU)NessusMisc.
high
124170Oracle Primavera Unifier Multiple Vulnerabilities (Apr 2019 CPU)NessusCGI abuses
high
124169Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) Multiple Vulnerabilities (Apr 2019 CPU)NessusCGI abuses
high
123337openSUSE Security Update : apache2 (openSUSE-2019-791)NessusSuSE Local Security Checks
medium
122292RHEL 6 / 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.29 (RHSA-2019:0367)NessusRed Hat Local Security Checks
medium
122016Photon OS 1.0: Httpd PHSA-2019-1.0-0203NessusPhotonOS Local Security Checks
critical
121601Oracle Secure Global Desktop Multiple Vulnerabilities (January 2019 CPU)NessusMisc.
medium
98916Apache 2.4.x < 2.4.35 Denial of ServiceWeb Application ScanningComponent Vulnerability
medium
121411openSUSE Security Update : virtualbox (openSUSE-2019-84)NessusSuSE Local Security Checks
medium
121368Amazon Linux 2 : httpd (ALAS-2019-1155)NessusAmazon Linux Local Security Checks
medium
120654Fedora 29 : mod_http2 (2018-9cdbb641f9)NessusFedora Local Security Checks
medium
120519Fedora 28 : mod_http2 (2018-6ffb18592f)NessusFedora Local Security Checks
medium
120127SUSE SLES15 Security Update : apache2 (SUSE-SU-2018:3101-1)NessusSuSE Local Security Checks
medium
119687Amazon Linux AMI : httpd24 (ALAS-2018-1104)NessusAmazon Linux Local Security Checks
medium
119449SUSE SLES12 Security Update : apache2 (SUSE-SU-2018:3582-2)NessusSuSE Local Security Checks
medium
118875openSUSE Security Update : apache2 (openSUSE-2018-1378)NessusSuSE Local Security Checks
medium
118835Amazon Linux 2 : mod_http2 (ALAS-2018-1104)NessusAmazon Linux Local Security Checks
medium
118566SUSE SLES12 Security Update : apache2 (SUSE-SU-2018:3582-1)NessusSuSE Local Security Checks
medium
118242Fedora 27 : mod_http2 (2018-bb9d24c82d)NessusFedora Local Security Checks
medium
118170openSUSE Security Update : apache2 (openSUSE-2018-1178)NessusSuSE Local Security Checks
medium
117916Ubuntu 18.04 LTS : apache2 vulnerabilities (USN-3783-1)NessusUbuntu Local Security Checks
medium
117807Apache 2.4.x < 2.4.35 DoSNessusWeb Servers
medium
117724FreeBSD : Apache -- Denial of service vulnerability in HTTP/2 (e182c076-c189-11e8-a6d2-b499baebfeaf)NessusFreeBSD Local Security Checks
medium