CVE-2018-11763

MEDIUM

Description

In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.

References

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html

http://www.securityfocus.com/bid/105414

http://www.securitytracker.com/id/1041713

https://access.redhat.com/errata/RHSA-2018:3558

https://access.redhat.com/errata/RHSA-2019:0366

https://access.redhat.com/errata/RHSA-2019:0367

https://httpd.apache.org/security/vulnerabilities_24.html

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/r9f93cf6dde30[email protected]%3Ccvs.httpd.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E

https://security.netapp.com/advisory/ntap-20190204-0004/

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us

https://usn.ubuntu.com/3783-1/

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

https://www.tenable.com/security/tns-2019-09

Details

Source: MITRE

Published: 2018-09-25

Updated: 2021-03-30

Type: NVD-CWE-noinfo

Risk Information

CVSS v2.0

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3.0

Base Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 2.2

Severity: MEDIUM

Vulnerable Software

ID	Name	Product	Family	Severity
131476	EulerOS Virtualization for ARM 64 3.0.3.0 : httpd (EulerOS-SA-2019-2311)	Nessus	Huawei Local Security Checks	high
127734	openSUSE Security Update : virtualbox (openSUSE-2019-1814)	Nessus	SuSE Local Security Checks	medium
125844	openSUSE Security Update : virtualbox (openSUSE-2019-1547)	Nessus	SuSE Local Security Checks	medium
125147	Oracle Enterprise Manager Ops Center (Apr 2019 CPU)	Nessus	Misc.	high
124170	Oracle Primavera Unifier Multiple Vulnerabilities (Apr 2019 CPU)	Nessus	CGI abuses	high
124169	Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) Multiple Vulnerabilities (Apr 2019 CPU)	Nessus	CGI abuses	high
123337	openSUSE Security Update : apache2 (openSUSE-2019-791)	Nessus	SuSE Local Security Checks	medium
122292	RHEL 6 / 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.29 (RHSA-2019:0367)	Nessus	Red Hat Local Security Checks	medium
122016	Photon OS 1.0: Httpd PHSA-2019-1.0-0203	Nessus	PhotonOS Local Security Checks	critical
121601	Oracle Secure Global Desktop Multiple Vulnerabilities (January 2019 CPU)	Nessus	Misc.	medium
98916	Apache 2.4.x < 2.4.35 Denial of Service	Web Application Scanning	Component Vulnerability	medium
121411	openSUSE Security Update : virtualbox (openSUSE-2019-84)	Nessus	SuSE Local Security Checks	medium
121368	Amazon Linux 2 : httpd (ALAS-2019-1155)	Nessus	Amazon Linux Local Security Checks	medium
120654	Fedora 29 : mod_http2 (2018-9cdbb641f9)	Nessus	Fedora Local Security Checks	medium
120519	Fedora 28 : mod_http2 (2018-6ffb18592f)	Nessus	Fedora Local Security Checks	medium
120127	SUSE SLES15 Security Update : apache2 (SUSE-SU-2018:3101-1)	Nessus	SuSE Local Security Checks	medium
119687	Amazon Linux AMI : httpd24 (ALAS-2018-1104)	Nessus	Amazon Linux Local Security Checks	medium
119449	SUSE SLES12 Security Update : apache2 (SUSE-SU-2018:3582-2)	Nessus	SuSE Local Security Checks	medium
118875	openSUSE Security Update : apache2 (openSUSE-2018-1378)	Nessus	SuSE Local Security Checks	medium
118835	Amazon Linux 2 : mod_http2 (ALAS-2018-1104)	Nessus	Amazon Linux Local Security Checks	medium
118566	SUSE SLES12 Security Update : apache2 (SUSE-SU-2018:3582-1)	Nessus	SuSE Local Security Checks	medium
118242	Fedora 27 : mod_http2 (2018-bb9d24c82d)	Nessus	Fedora Local Security Checks	medium
118170	openSUSE Security Update : apache2 (openSUSE-2018-1178)	Nessus	SuSE Local Security Checks	medium
117916	Ubuntu 18.04 LTS : apache2 vulnerabilities (USN-3783-1)	Nessus	Ubuntu Local Security Checks	medium
117807	Apache 2.4.x < 2.4.35 DoS	Nessus	Web Servers	medium
117724	FreeBSD : Apache -- Denial of service vulnerability in HTTP/2 (e182c076-c189-11e8-a6d2-b499baebfeaf)	Nessus	FreeBSD Local Security Checks	medium

CVE-2018-11763

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5

Tenable Plugins

high

medium

medium

high

high

high

medium

medium

critical

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium