Bug 1101688 - (CVE-2018-8011) VUL-1: CVE-2018-8011: apache2: mod_md DoS
(CVE-2018-8011)
VUL-1: CVE-2018-8011: apache2: mod_md DoS
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Petr Gajdos
Security Team bot
https://smash.suse.de/issue/211024/
CVSSv3:SUSE:CVE-2018-8011:5.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-07-18 15:05 UTC by Johannes Segitz
Modified: 2021-01-12 12:15 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2018-07-18 15:05:16 UTC
CVE-2018-8011

Description:
By specially crafting HTTP requests, the mod_md challenge
handler would dereference a NULL pointer and cause the child
process to segfault. This could be used to DoS the server

Mitigation:
All httpd users should upgrade to 2.4.34 or later.

Credit:
The issue was discovered by Daniel Caminada

Judging from our changes file SLE 15 only

References:
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-8011
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8011
http://seclists.org/oss-sec/2018/q3/40
Comment 1 Petr Gajdos 2018-07-20 08:06:50 UTC
We do not enable mod_md build. For 15/apache2, I will add update-patch to 1.1.15 in case we will enable it later.
Comment 2 Petr Gajdos 2018-07-20 08:07:21 UTC
Nevertheless, we are not affected anywhere.
Comment 3 Johannes Segitz 2018-07-20 12:09:39 UTC
thanks
Comment 4 Petr Gajdos 2018-07-31 12:31:08 UTC
Package submitted: 15/apache2.
Comment 6 Swamp Workflow Management 2018-08-17 22:11:15 UTC
SUSE-SU-2018:2424-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1101688,1101689
CVE References: CVE-2018-1333,CVE-2018-8011
Sources used:
SUSE Linux Enterprise Module for Server Applications 15 (src):    apache2-2.4.33-3.3.1
Comment 7 Swamp Workflow Management 2018-08-19 13:09:22 UTC
openSUSE-SU-2018:2433-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1101688,1101689
CVE References: CVE-2018-1333,CVE-2018-8011
Sources used:
openSUSE Leap 15.0 (src):    apache2-2.4.33-lp150.2.3.1