Ubuntu 18.04 LTS : apache2 vulnerabilities (USN-3783-1)

Medium Nessus Plugin ID 117916

Synopsis

The remote Ubuntu host is missing a security-related patch.

Description

Robert Swiecki discovered that the Apache HTTP Server HTTP/2 module incorrectly destroyed certain streams. A remote attacker could possibly use this issue to cause the server to crash, leading to a denial of service. (CVE-2018-1302)

Craig Young discovered that the Apache HTTP Server HTTP/2 module incorrectly handled certain requests. A remote attacker could possibly use this issue to cause the server to consume resources, leading to a denial of service. (CVE-2018-1333)

Gal Goldshtein discovered that the Apache HTTP Server HTTP/2 module incorrectly handled large SETTINGS frames. A remote attacker could possibly use this issue to cause the server to consume resources, leading to a denial of service. (CVE-2018-11763).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected apache2-bin package.

Plugin Details

Severity: Medium

ID: 117916

File Name: ubuntu_USN-3783-1.nasl

Version: 1.2

Type: local

Agent: unix

Published: 2018/10/04

Modified: 2018/10/04

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSSv3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: p-cpe:/a:canonical:ubuntu_linux:apache2-bin, cpe:/o:canonical:ubuntu_linux:18.04:-:lts

Required KB Items: Host/cpu, Host/Ubuntu, Host/Ubuntu/release, Host/Debian/dpkg-l

Patch Publication Date: 2018/10/03

Reference Information

CVE: CVE-2018-11763, CVE-2018-1302, CVE-2018-1333

USN: 3783-1

IAVA: 2018-A-0310