Bug 1122838 (CVE-2018-17189)

Summary: VUL-1: CVE-2018-17189: apache2: mod_http2, DoS via slow, unneeded request bodies
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: gboiko, jack.hodge
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/223572/
Whiteboard: CVSSv3:RedHat:CVE-2018-17189:4.3:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv3:SUSE:CVE-2018-17189:4.3:(AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2019-01-23 07:00:57 UTC 
via oss-sec

CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.17 to 2.4.37

Description:
By sending request bodies in a slow loris way to plain 
resources, the h2 stream for that request unnecessarily
occupied a server thread cleaning up that incoming data.
This affects only HTTP/2 (mod_http2) connections in 
Apache HTTP Server versions 2.4.37 and prior.

Mitigation:
All httpd users deploying mod_http2 should upgrade to 2.4.38 or later.

Credit:
The issue was discovered by Gal Goldshtein of F5 Networks.

References:
https://httpd.apache.org/security/vulnerabilities_24.html
Comment 1 Marcus Meissner 2019-01-23 07:04:34 UTC 
sle12 sp2 and later affected
Comment 2 Petr Gajdos 2019-01-24 07:28:45 UTC 
I think
http://svn.apache.org/viewvc?view=revision&revision=1851329
Comment 3 Petr Gajdos 2019-01-24 09:13:58 UTC 
Will submit for 15/apache2 and 12sp2/apache2. 

TW/apache2 already fixed by version update.
Comment 4 Petr Gajdos 2019-01-24 10:05:11 UTC 
Packages submitted. I believe all fixed.
Comment 8 Swamp Workflow Management 2019-02-26 20:13:02 UTC 
SUSE-SU-2019:0498-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1121086,1122838,1122839
CVE References: CVE-2018-17189,CVE-2018-17199
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    apache2-2.4.23-29.34.4
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    apache2-2.4.23-29.34.4
SUSE Linux Enterprise Server 12-SP4 (src):    apache2-2.4.23-29.34.4
SUSE Linux Enterprise Server 12-SP3 (src):    apache2-2.4.23-29.34.4
Comment 9 Swamp Workflow Management 2019-02-27 11:12:50 UTC 
SUSE-SU-2019:0504-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1121086,1122838,1122839
CVE References: CVE-2018-17189,CVE-2018-17199
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    apache2-2.4.33-3.9.7
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    apache2-2.4.33-3.9.7
Comment 10 Swamp Workflow Management 2019-03-06 20:12:28 UTC 
openSUSE-SU-2019:0296-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1121086,1122838,1122839
CVE References: CVE-2018-17189,CVE-2018-17199
Sources used:
openSUSE Leap 15.0 (src):    apache2-2.4.33-lp150.2.9.1
Comment 11 Swamp Workflow Management 2019-03-08 14:11:00 UTC 
openSUSE-SU-2019:0305-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1121086,1122838,1122839
CVE References: CVE-2018-17189,CVE-2018-17199
Sources used:
openSUSE Leap 42.3 (src):    apache2-2.4.23-37.1
Comment 12 Marcus Meissner 2019-07-18 07:03:10 UTC 
released