CVE-2018-17189

Published: Jan 30, 2019Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.

Affected (33)

Products: Apache: Http Server · Netapp: Santricity Cloud Connector, Storage Automation Store · Fedoraproject: Fedora · +4 more

Show all products

Apache: Http Server · Netapp: Santricity Cloud Connector, Storage Automation Store · Fedoraproject: Fedora · Debian: Debian Linux · Oracle: Enterprise Manager Ops Center, Hospitality Guest Access, Instantis Enterprisetrack, Retail Xstore Point Of Service, Sun Zfs Storage Appliance Kit · Canonical: Ubuntu Linux · Redhat: Jboss Core Services

Apache

1 product

Http Server

Netapp

2 products

Santricity Cloud Connector

Storage Automation Store

1 product

1 product

5 products

Enterprise Manager Ops Center

Hospitality Guest Access

Instantis Enterprisetrack

Retail Xstore Point Of Service

Sun Zfs Storage Appliance Kit

1 product

1 product

Configuration A

14 vulnerable

Vulnerable Software	Affected Versions
Apache Http Server	Version 2.4.17
Apache Http Server	Version 2.4.18
Apache Http Server	Version 2.4.20
Apache Http Server	Version 2.4.23
Apache Http Server	Version 2.4.25
Apache Http Server	Version 2.4.26
Apache Http Server	Version 2.4.27
Apache Http Server	Version 2.4.28
Apache Http Server	Version 2.4.29
Apache Http Server	Version 2.4.30
Apache Http Server	Version 2.4.33
Apache Http Server	Version 2.4.34
Apache Http Server	Version 2.4.35
Apache Http Server	Version 2.4.37

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Netapp Santricity Cloud Connector	All versions
Netapp Storage Automation Store	All versions

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 28
Fedoraproject Fedora	Version 29

Configuration D

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 9.0

Configuration E

9 vulnerable

Vulnerable Software	Affected Versions
Oracle Enterprise Manager Ops Center	Version 12.3.3
Oracle Hospitality Guest Access	Version 4.2.0
Oracle Hospitality Guest Access	Version 4.2.1
Oracle Instantis Enterprisetrack	Version 17.1
Oracle Instantis Enterprisetrack	Version 17.2
Oracle Instantis Enterprisetrack	Version 17.3
Oracle Retail Xstore Point Of Service	Version 7.0
Oracle Retail Xstore Point Of Service	Version 7.1
Oracle Sun Zfs Storage Appliance Kit	Version 8.8.6

Configuration F

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 14.04
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04
Canonical Ubuntu Linux	Version 18.10

Configuration G

1 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Redhat Jboss Core Services	Version 1.0

Running on/with	Platform Versions
Redhat Enterprise Linux	Version 6.0
Redhat Enterprise Linux	Version 7.0

Related CWEs

CWE-400

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (60)

http://www.securityfocus.com/bid/106685

Source: security@apache.org

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2019:3932

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3933

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3935

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:4126

Source: security@apache.org

Third Party Advisory

https://httpd.apache.org/security/vulnerabilities_24.html

Source: security@apache.org

Vendor Advisory

https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IY7SJQOO3PYFVINZW6H5EK4EZ3HSGZNM/

Source: security@apache.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U7N3DUEBFVGQWQEME5HTPTTKDHGHBAC6/

Source: security@apache.org

https://seclists.org/bugtraq/2019/Apr/5

Source: security@apache.org

Issue TrackingMailing ListThird Party Advisory

https://security.gentoo.org/glsa/201903-21

Source: security@apache.org

Third Party Advisory

https://security.netapp.com/advisory/ntap-20190125-0001/

Source: security@apache.org

Third Party Advisory

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03950en_us

Source: security@apache.org

Third Party Advisory

https://usn.ubuntu.com/3937-1/

Source: security@apache.org

Third Party Advisory

https://www.debian.org/security/2019/dsa-4422

Source: security@apache.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2020.html

Source: security@apache.org

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Source: security@apache.org

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Source: security@apache.org

Third Party Advisory

https://www.tenable.com/security/tns-2019-09

Source: security@apache.org

Third Party Advisory

http://www.securityfocus.com/bid/106685