You are here

Apache HTTP Server Vulnerabilities Related to Version 2.4.34

IDs: 
CVE-2018-1333, CVE-2018-8011
Keywords: 
HTTP/2, DoS, Apache, httpd, mod_md, Let's Encrypt
Description: 

The Apache HTTP Server version 2.4.34 fixes two vulnerabilities.

- CVE-2018-8011 DoS via Coredumps in mod_md on specially crafted requests.

This vulnerability was discovered by the Airlock WAF team [1]. The module is used for Let's Encrypt and not available in the the current supported Airlock WAF versions including 7.0. Let's Encrypt and mod_md will be available in Airlock WAF 7.1 [2]. The vulnerability will be patched in this version.

- CVE-2018-1333 DoS for HTTP/2 connections by crafted requests. 

By default HTTP/2 support is disabled in Airlock WAF. The criticality of this denial of service vulnerability is negligible for Airlock WAF. 

Resolution: 

No action is required.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required