Bug 1633399 – CVE-2018-11763 httpd: DoS for HTTP/2 connections by continuous SETTINGS

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1633399 - (CVE-2018-11763) CVE-2018-11763 httpd: DoS for HTTP/2 connections by continuous SETTINGS

Summary:	CVE-2018-11763 httpd: DoS for HTTP/2 connections by continuous SETTINGS

Status:	NEW

Aliases:	CVE-2018-11763

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180925,repor...
Keywords:	Security

Depends On:	1633401 1635838 1633400
Blocks:	1633402
	Show dependency tree / graph

Reported:	2018-09-26 17:37 EDT by Pedro Sampaio
Modified:	2018-10-19 19:36 EDT (History)
CC List:	64 users (show)

See Also:
Fixed In Version:	httpd 2.4.35, mod_http2 1.11.0
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Pedro Sampaio 2018-09-26 17:37:20 EDT

In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.

References:

https://httpd.apache.org/security/vulnerabilities_24.html

Comment 1 Pedro Sampaio 2018-09-26 17:38:18 EDT

Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1633400]

Comment 3 Tomas Hoger 2018-09-27 05:18:40 EDT

The httpd packages in Red Hat Enterprise Linux 7 and earlier do not include support for HTTP/2 and hence are not affected by this issue.

Comment 5 Joe Orton 2018-09-27 06:32:48 EDT

This issue is fixed upstream in httpd in the following commits:

trunk: https://svn.apache.org/r1840010
2.4.x: https://svn.apache.org/r1840757

Which matches the change made downstream in mod_h2 on github:

https://github.com/icing/mod_h2/commit/5e75e5685dd043fe93a5a08a15edd087a43f6968

i.e. this issue is fixed in httpd 2.4.35 and later, and in mod_http2 1.11.0 and later.

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
anon.amish
apintea
bmaxwell
bmcclain
cbyrne
cdewolf
chazlett
cmacedo
csutherl
darran.lofthouse
dbaker
dblechte
dfediuck
dffrench
dimitris
dosoudil
drusso
eedri
fgavrilo
gzaronik
hhorak
jawilson
jclere
jdoyle
jkaluza
jmadigan
jokerman
jorton
jshepherd
lgao
lgriffin
luhliari
mbabacek
mgoldboi
michal.skrivanek
mturk
myarboro
ngough
pahan
pgier
pjurak
ppalaga
ppenicka
psakar
pslavice
pwright
rmullett
rnetuka
rstancel
rsvoboda
sbonazzo
schandle
sgayou
sherold
sthangav
tjay
trankin
trepel
twalsh
vtunka
weli
ylavi
yozone