CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.17 to 2.4.34
Description:
By sending continuous, large SETTINGS frames a client can occupy a
connection, server thread and CPU time without any connection timeout
coming to effect.
This affects only HTTP/2 connections. A possible mitigation is to
not enable the h2 protocol.
Mitigation:
All httpd users should upgrade to 2.4.35 or later.
Credit:
The issue was discovered by Gal Goldshtein of F5 Networks.
References:
https://httpd.apache.org/security/vulnerabilities_24.html
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
httpd 2.4.17 to 2.4.34
Description:
By sending continuous, large SETTINGS frames a client can occupy a
connection, server thread and CPU time without any connection timeout
coming to effect.
This affects only HTTP/2 connections. A possible mitigation is to
not enable the h2 protocol.
Mitigation:
All httpd users should upgrade to 2.4.35 or later.
Credit:
The issue was discovered by Gal Goldshtein of F5 Networks.
References:
https://httpd.apache.org/security/vulnerabilities_24.html