SB2018092729 - Resource management error in apache2 (Alpine package)
Published: September 27, 2018
Security Bulletin ID
SB2018092729
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Resource management error (CVE-ID: CVE-2018-11763)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect handling of large SETTINGS frames in HTTP/2 connections. A remote attacker can repeatedly send large SETTINGS frames within an established HTTP/2 connection and consume all available threads and CPU time.
Successful exploitation of the vulnerability may allow an attacker to perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=5e5b0f62c33e4bdae00d4d44fbf447c6086985aa
- https://git.alpinelinux.org/aports/commit/?id=cd9513a22803b7768db28a97e5bcf9f65cceb9d2
- https://git.alpinelinux.org/aports/commit/?id=ea785d01e00a8c2a6c9b8b35535c5e3e5da1178b
- https://git.alpinelinux.org/aports/commit/?id=f6d1356e6015d7539e9c147abbd2e13d4e2e0251