Lucene search

AmazonALAS2-2018-1062

HistoryAug 21, 2018 - 5:16 p.m.

Medium: httpd

2018-08-2117:16:00

alas.aws.amazon.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.5 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.955 High

EPSS

Percentile

99.4%

JSON

Issue Overview:

By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.33). (CVE-2018-8011)

Affected Packages:

httpd

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update httpd to update your system.

New Packages:

noarch:  
    httpd-manual-2.4.34-1.amzn2.1.0.noarch  
    httpd-filesystem-2.4.34-1.amzn2.1.0.noarch  
  
src:  
    httpd-2.4.34-1.amzn2.1.0.src  
  
x86_64:  
    httpd-2.4.34-1.amzn2.1.0.x86_64  
    httpd-devel-2.4.34-1.amzn2.1.0.x86_64  
    httpd-tools-2.4.34-1.amzn2.1.0.x86_64  
    mod_ssl-2.4.34-1.amzn2.1.0.x86_64  
    mod_md-2.4.34-1.amzn2.1.0.x86_64  
    mod_proxy_html-2.4.34-1.amzn2.1.0.x86_64  
    mod_ldap-2.4.34-1.amzn2.1.0.x86_64  
    mod_session-2.4.34-1.amzn2.1.0.x86_64  
    httpd-debuginfo-2.4.34-1.amzn2.1.0.x86_64

Additional References

Red Hat: CVE-2018-8011

Mitre: CVE-2018-8011

OSVersionArchitecturePackageVersionFilename
Amazon Linux2noarchhttpd-manual< 2.4.34-1.amzn2.1.0httpd-manual-2.4.34-1.amzn2.1.0.noarch.rpm
Amazon Linux2noarchhttpd-filesystem< 2.4.34-1.amzn2.1.0httpd-filesystem-2.4.34-1.amzn2.1.0.noarch.rpm
Amazon Linux2x86_64httpd< 2.4.34-1.amzn2.1.0httpd-2.4.34-1.amzn2.1.0.x86_64.rpm
Amazon Linux2x86_64httpd-devel< 2.4.34-1.amzn2.1.0httpd-devel-2.4.34-1.amzn2.1.0.x86_64.rpm
Amazon Linux2x86_64httpd-tools< 2.4.34-1.amzn2.1.0httpd-tools-2.4.34-1.amzn2.1.0.x86_64.rpm
Amazon Linux2x86_64mod_ssl< 2.4.34-1.amzn2.1.0mod_ssl-2.4.34-1.amzn2.1.0.x86_64.rpm
Amazon Linux2x86_64mod_md< 2.4.34-1.amzn2.1.0mod_md-2.4.34-1.amzn2.1.0.x86_64.rpm
Amazon Linux2x86_64mod_proxy_html< 2.4.34-1.amzn2.1.0mod_proxy_html-2.4.34-1.amzn2.1.0.x86_64.rpm
Amazon Linux2x86_64mod_ldap< 2.4.34-1.amzn2.1.0mod_ldap-2.4.34-1.amzn2.1.0.x86_64.rpm
Amazon Linux2x86_64mod_session< 2.4.34-1.amzn2.1.0mod_session-2.4.34-1.amzn2.1.0.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	2	noarch	httpd-manual	< 2.4.34-1.amzn2.1.0	httpd-manual-2.4.34-1.amzn2.1.0.noarch.rpm
Amazon Linux	2	noarch	httpd-filesystem	< 2.4.34-1.amzn2.1.0	httpd-filesystem-2.4.34-1.amzn2.1.0.noarch.rpm
Amazon Linux	2	x86_64	httpd	< 2.4.34-1.amzn2.1.0	httpd-2.4.34-1.amzn2.1.0.x86_64.rpm
Amazon Linux	2	x86_64	httpd-devel	< 2.4.34-1.amzn2.1.0	httpd-devel-2.4.34-1.amzn2.1.0.x86_64.rpm
Amazon Linux	2	x86_64	httpd-tools	< 2.4.34-1.amzn2.1.0	httpd-tools-2.4.34-1.amzn2.1.0.x86_64.rpm
Amazon Linux	2	x86_64	mod_ssl	< 2.4.34-1.amzn2.1.0	mod_ssl-2.4.34-1.amzn2.1.0.x86_64.rpm
Amazon Linux	2	x86_64	mod_md	< 2.4.34-1.amzn2.1.0	mod_md-2.4.34-1.amzn2.1.0.x86_64.rpm
Amazon Linux	2	x86_64	mod_proxy_html	< 2.4.34-1.amzn2.1.0	mod_proxy_html-2.4.34-1.amzn2.1.0.x86_64.rpm
Amazon Linux	2	x86_64	mod_ldap	< 2.4.34-1.amzn2.1.0	mod_ldap-2.4.34-1.amzn2.1.0.x86_64.rpm
Amazon Linux	2	x86_64	mod_session	< 2.4.34-1.amzn2.1.0	mod_session-2.4.34-1.amzn2.1.0.x86_64.rpm