Bug 1605048 – CVE-2018-1333 httpd: mod_http2: too much time allocated to workers, possibly leading to DoS

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1605048 - (CVE-2018-1333) CVE-2018-1333 httpd: mod_http2: too much time allocated to workers, possibly leading to DoS

Summary:	CVE-2018-1333 httpd: mod_http2: too much time allocated to workers, possibly ...

Status:	NEW

Aliases:	CVE-2018-1333

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180718,repor...
Keywords:	Security

Depends On:	1605050 1616051 1605049 1609083
Blocks:	1605053
	Show dependency tree / graph

Reported:	2018-07-20 00:49 EDT by Sam Fowler
Modified:	2018-10-19 17:52 EDT (History)
CC List:	62 users (show)

See Also:
Fixed In Version:	httpd 2.4.34
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Sam Fowler 2018-07-20 00:49:23 EDT

Apache httpd before version 2.4.34 has a vulnerability in the handling of specially crafted HTTP/2 requests, causing workers to be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service.

This issue only affects servers that have configured and enabled HTTP/2 support, which is not the default


External References:

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-1333

Comment 1 Sam Fowler 2018-07-20 00:50:06 EDT

Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1605049]

Comment 3 Tomas Hoger 2018-07-20 03:14:27 EDT

HTTP/2 support was first added upstream in version 2.4.17:

https://httpd.apache.org/docs/2.4/mod/mod_http2.html
http://archive.apache.org/dist/httpd/CHANGES_2.4.17

Hence earlier versions can not be affected.  Additionally, upstream lists version 2.4.18 as the first affected.

Comment 4 Tomas Hoger 2018-07-20 05:27:17 EDT

Upstream commit:

http://svn.apache.org/viewvc?view=revision&revision=1828879

Matching commit in the mod_h2 git:

https://github.com/icing/mod_h2/commit/83a2e3866918ce6567a683eb4c660688d047ee81

Comment 9 Scott Gayou 2018-08-14 15:39:35 EDT

httpd24-httpd (2.4.27) appears to be vulnerable. http2 modules are built and loaded by default.

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
anon.amish
apintea
bmaxwell
bmcclain
bnater
cdewolf
chazlett
cmacedo
csutherl
darran.lofthouse
dbaker
dblechte
dfediuck
dffrench
dimitris
dosoudil
drusso
eedri
fgavrilo
gzaronik
hhorak
jawilson
jclere
jdoyle
jkaluza
jmadigan
jokerman
jondruse
jorton
jshepherd
lgao
lgriffin
luhliari
mbabacek
mgoldboi
michal.skrivanek
mturk
myarboro
ngough
pahan
pgier
pjurak
ppalaga
ppenicka
psakar
pslavice
pwright
rnetuka
rstancel
rsvoboda
sbonazzo
sherold
sstavrev
sthangav
tjay
trankin
trepel
twalsh
vtunka
weli
ylavi