CVE-2018-11763

Published: 25 September 2018

In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.

Priority

Medium

CVSS 3 base score: 5.9

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
Upstream
Released (2.4.35)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.4.29-1ubuntu4.4)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not built)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code not present)
Patches:
Upstream: https://svn.apache.org/viewvc?view=revision&revision=1840757 (2.4.x)
Upstream: https://github.com/apache/httpd/commit/484aba5048e3457dc1d15189f1910d007b1a4a76