Apache HTTP Server CVE-2018-17189 Denial of Service Vulnerability

Bugtraq ID:	106685
Class:	Design Error
CVE:	CVE-2018-17189
Remote:	Yes
Local:	No
Published:	Jan 22 2019 12:00AM
Updated:	Apr 19 2019 11:00AM
Credit:	Gal Goldshtein of F5 Networks.
Vulnerable:	Oracle Solaris 11.4 Apache Apache 2.4.37 Apache Apache 2.4.33 Apache Apache 2.4.26 Apache Apache 2.4.25 Apache Apache 2.4.23 Apache Apache 2.4.20 Apache Apache 2.4.19 Apache Apache 2.4.18 Apache Apache 2.4.17 Apache Apache 2.4.16 Apache Apache 2.4.14 Apache Apache 2.4.12 Apache Apache 2.4.11 Apache Apache 2.4.9 Apache Apache 2.4.8 Apache Apache 2.4.7 Apache Apache 2.4.35 Apache Apache 2.4.34 Apache Apache 2.4.30 Apache Apache 2.4.29 Apache Apache 2.4.28 Apache Apache 2.4.27 Apache Apache 2.4.24 Apache Apache 2.4.13
Not Vulnerable:	Apache Apache 2.4.38

Apache HTTP Server CVE-2018-17189 Denial of Service Vulnerability

Apache HTTP Server is prone to a denial-of-service vulnerability.

Attackers may leverage this issue to cause a denial-of-service condition, denying service to legitimate users.

Apache HTTP Server 2.4.17 through 2.4.37 are vulnerable.

Apache HTTP Server CVE-2018-17189 Denial of Service Vulnerability

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Apache HTTP Server CVE-2018-17189 Denial of Service Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Apache HTTP Server CVE-2018-17189 Denial of Service Vulnerability

References:

• CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies (Seclists.org)
  
• Apache Homepage (Apache)
  
• Bug 1668497 (CVE-2018-17189) - CVE-2018-17189 httpd: mod_http2: DoS via slow, u (Redhat)
  
• Fixed in Apache httpd 2.4.20 (Apache)
  
• CVE-2018-17189 (Redhat)
  
• Oracle Solaris Third Party Bulletin - April 2019 (Oracle)