Apache HTTP Server Vulnerabilities Related to Version 2.4.34

Submitted on 19. July 2018 - 13:28 by rischi.
Last update on 19. July 2018 - 19:10.

IDs:

CVE-2018-1333, CVE-2018-8011

Keywords:

HTTP/2, DoS, Apache, httpd, mod_md, Let's Encrypt

Description:

The Apache HTTP Server version 2.4.34 fixes two vulnerabilities.

- CVE-2018-8011 DoS via Coredumps in mod_md on specially crafted requests.

This vulnerability was discovered by the Airlock WAF team [1]. The module is used for Let's Encrypt and not available in the the current supported Airlock WAF versions including 7.0. Let's Encrypt and mod_md will be available in Airlock WAF 7.1 [2]. The vulnerability will be patched in this version.

- CVE-2018-1333 DoS for HTTP/2 connections by crafted requests.

By default HTTP/2 support is disabled in Airlock WAF. The criticality of this denial of service vulnerability is negligible for Airlock WAF.

Resolution:

No action is required.

Component:

Airlock

Airlock Vulnerability Status:

Does not affect Airlock

Back-end Vulnerability Status:

No action required

Reference:

[1] Apache HTTP Server 2.4 vulnerabilities

[2] Announcement of Airlock WAF 7.1

Main menu

Navigation

User menu

You are here

Apache HTTP Server Vulnerabilities Related to Version 2.4.34

Main menu

Search form

Navigation

User menu

You are here

Apache HTTP Server Vulnerabilities Related to Version 2.4.34