Bugzilla – Bug 1109961
VUL-0: CVE-2018-11763: apache2: DoS for HTTP/2 connections by continuous SETTINGS
Last modified: 2021-01-12 12:15:16 UTC
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. References: https://bugzilla.redhat.com/show_bug.cgi?id=1633399 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11763 http://www.securitytracker.com/id/1041713
Its not trivial to find the corresponding commit that fixes this vulnerability, but I think this is the one: https://github.com/apache/httpd/commit/38721aabe5d4f75f0cf87b0efebd682d46224877
Based on the version number only this codestreams should be affected: SUSE:SLE-12-SP2:Update SUSE:SLE-15:Update These are not affected: SUSE:SLE-10-SP3:Update SUSE:SLE-11-SP1:Update SUSE:SLE-12:Update
No testcase found.
15: The patch applies cleanly, but I think such invasive change could be good opportunity to update to newest mod_http2 version.
12sp2: The patch applies cleanly, but I think such invasive change could be good opportunity to update to newest mod_http2 version.
I took the opportunity to arrange dependencies of mod_http2 tests (perl-AnyEvent, perl-Protocol-HTTP2 and their dependencies not included in respecitve SLESes) in home:pgajdos:apache-test. It runs 50 mod_http2 related tests. Now the result is: BEFORE $ for r in SLE_12_SP2 SLE_12_SP3 SLE_15; do isc rbl home:pgajdos:apache-test/apache-test $r x86_64 | grep http2.t; done [ 274s] t/modules/http2.t ................... ok [ 252s] t/modules/http2.t ................... ok [ 267s] t/modules/http2.t ................... ok $ AFTER $ for r in SLE_12_SP2 SLE_12_SP3 SLE_15; do isc rbl home:pgajdos:apache-test:after/apache-test $r x86_64 | grep http2.t; done [ 256s] t/modules/http2.t ................... ok [ 255s] t/modules/http2.t ................... ok [ 280s] t/modules/http2.t ................... ok $
Packages submitted: 12sp2/apache2 and 15/apache2 I believe everything is fixed.
SUSE-SU-2018:3101-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1109961 CVE References: CVE-2018-11763 Sources used: SUSE Linux Enterprise Module for Server Applications 15 (src): apache2-2.4.33-3.6.1
openSUSE-SU-2018:3185-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1109961 CVE References: CVE-2018-11763 Sources used: openSUSE Leap 15.0 (src): apache2-2.4.33-lp150.2.6.1
SUSE-SU-2018:3582-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1109961 CVE References: CVE-2018-11763 Sources used: SUSE OpenStack Cloud 7 (src): apache2-2.4.23-29.27.2 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): apache2-2.4.23-29.27.2 SUSE Linux Enterprise Server for SAP 12-SP2 (src): apache2-2.4.23-29.27.2 SUSE Linux Enterprise Server 12-SP3 (src): apache2-2.4.23-29.27.2 SUSE Linux Enterprise Server 12-SP2-LTSS (src): apache2-2.4.23-29.27.2 SUSE Linux Enterprise Server 12-SP2-BCL (src): apache2-2.4.23-29.27.2 SUSE Enterprise Storage 4 (src): apache2-2.4.23-29.27.2
openSUSE-SU-2018:3713-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1109961 CVE References: CVE-2018-11763 Sources used: openSUSE Leap 42.3 (src): apache2-2.4.23-31.1
SUSE-SU-2018:3582-2: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1109961 CVE References: CVE-2018-11763 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP4 (src): apache2-2.4.23-29.27.2 SUSE Linux Enterprise Server 12-SP4 (src): apache2-2.4.23-29.27.2
done