You are here

Apache HTTP Server Vulnerabilities Related to Version 2.4.34

CVE-2018-1333, CVE-2018-8011
HTTP/2, DoS, Apache, httpd, mod_md, Let's Encrypt

The Apache HTTP Server version 2.4.34 fixes two vulnerabilities.

- CVE-2018-8011 DoS via Coredumps in mod_md on specially crafted requests.

This vulnerability was discovered by the Airlock WAF team [1]. The module is used for Let's Encrypt and not available in the the current supported Airlock WAF versions including 7.0. Let's Encrypt and mod_md will be available in Airlock WAF 7.1 [2]. The vulnerability will be patched in this version.

- CVE-2018-1333 DoS for HTTP/2 connections by crafted requests. 

By default HTTP/2 support is disabled in Airlock WAF. The criticality of this denial of service vulnerability is negligible for Airlock WAF. 


No action is required.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
No action required