Bug 1109961 - (CVE-2018-11763) VUL-0: CVE-2018-11763: apache2: DoS for HTTP/2 connections by continuous SETTINGS
(CVE-2018-11763)
VUL-0: CVE-2018-11763: apache2: DoS for HTTP/2 connections by continuous SETT...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/215600/
CVSSv3:RedHat:CVE-2018-11763:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-09-27 08:27 UTC by Karol Babioch
Modified: 2021-01-12 12:15 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Karol Babioch 2018-09-27 08:27:53 UTC
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS
frames a client can occupy a connection, server thread and CPU time without any
connection timeout coming to effect. This affects only HTTP/2 connections. A
possible mitigation is to not enable the h2 protocol.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1633399
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11763
http://www.securitytracker.com/id/1041713
Comment 1 Karol Babioch 2018-09-27 09:09:40 UTC
Its not trivial to find the corresponding commit that fixes this vulnerability, but I think this is the one: https://github.com/apache/httpd/commit/38721aabe5d4f75f0cf87b0efebd682d46224877
Comment 2 Karol Babioch 2018-09-27 09:10:48 UTC
Based on the version number only this codestreams should be affected:

SUSE:SLE-12-SP2:Update
SUSE:SLE-15:Update

These are not affected:

SUSE:SLE-10-SP3:Update
SUSE:SLE-11-SP1:Update
SUSE:SLE-12:Update
Comment 3 Petr Gajdos 2018-10-01 14:12:34 UTC
No testcase found.
Comment 4 Petr Gajdos 2018-10-01 15:00:12 UTC
15: The patch applies cleanly, but I think such invasive change could be good opportunity to update to newest mod_http2 version.
Comment 6 Petr Gajdos 2018-10-02 08:37:50 UTC
12sp2: The patch applies cleanly, but I think such invasive change could be good opportunity to update to newest mod_http2 version.
Comment 8 Petr Gajdos 2018-10-02 15:22:06 UTC
I took the opportunity to arrange dependencies of mod_http2 tests (perl-AnyEvent, perl-Protocol-HTTP2 and their dependencies not included in respecitve SLESes) in home:pgajdos:apache-test. It runs 50 mod_http2 related tests.

Now the result is:

BEFORE

$ for r in SLE_12_SP2 SLE_12_SP3 SLE_15; do isc rbl home:pgajdos:apache-test/apache-test $r x86_64 | grep http2.t; done
[  274s] t/modules/http2.t ................... ok
[  252s] t/modules/http2.t ................... ok
[  267s] t/modules/http2.t ................... ok
$

AFTER


$ for r in SLE_12_SP2 SLE_12_SP3 SLE_15; do isc rbl home:pgajdos:apache-test:after/apache-test $r x86_64 | grep http2.t; done
[  256s] t/modules/http2.t ................... ok
[  255s] t/modules/http2.t ................... ok
[  280s] t/modules/http2.t ................... ok
$
Comment 9 Petr Gajdos 2018-10-02 15:23:20 UTC
Packages submitted: 12sp2/apache2 and 15/apache2

I believe everything is fixed.
Comment 10 Swamp Workflow Management 2018-10-11 19:09:06 UTC
SUSE-SU-2018:3101-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1109961
CVE References: CVE-2018-11763
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    apache2-2.4.33-3.6.1
Comment 11 Swamp Workflow Management 2018-10-17 04:15:05 UTC
openSUSE-SU-2018:3185-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1109961
CVE References: CVE-2018-11763
Sources used:
openSUSE Leap 15.0 (src):    apache2-2.4.33-lp150.2.6.1
Comment 12 Swamp Workflow Management 2018-10-30 20:16:12 UTC
SUSE-SU-2018:3582-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1109961
CVE References: CVE-2018-11763
Sources used:
SUSE OpenStack Cloud 7 (src):    apache2-2.4.23-29.27.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    apache2-2.4.23-29.27.2
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    apache2-2.4.23-29.27.2
SUSE Linux Enterprise Server 12-SP3 (src):    apache2-2.4.23-29.27.2
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    apache2-2.4.23-29.27.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    apache2-2.4.23-29.27.2
SUSE Enterprise Storage 4 (src):    apache2-2.4.23-29.27.2
Comment 13 Swamp Workflow Management 2018-11-09 23:26:04 UTC
openSUSE-SU-2018:3713-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1109961
CVE References: CVE-2018-11763
Sources used:
openSUSE Leap 42.3 (src):    apache2-2.4.23-31.1
Comment 14 Swamp Workflow Management 2018-12-05 14:15:42 UTC
SUSE-SU-2018:3582-2: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1109961
CVE References: CVE-2018-11763
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    apache2-2.4.23-29.27.2
SUSE Linux Enterprise Server 12-SP4 (src):    apache2-2.4.23-29.27.2
Comment 15 Marcus Meissner 2019-07-18 06:55:01 UTC
done