CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
81.9%
Severity: High
Date : 2019-01-24
CVE-ID : CVE-2018-17189 CVE-2018-17199 CVE-2019-0190
Package : apache
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-857
The package apache before version 2.4.38-1 is vulnerable to multiple
issues including denial of service and insufficient validation.
Upgrade to 2.4.38-1.
The problems have been fixed upstream in version 2.4.38.
Disable the h2 protocol.
By sending request bodies in a slow loris way to plain resources, the
h2 stream of Apache HTTP Server before 2.4.38 for that request
unnecessarily occupied a server thread cleaning up that incoming data.
This affects only HTTP/2 connections. A possible mitigation is to not
enable the h2 protocol.
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks
the session expiry time before decoding the session. This causes
session expiry time to be ignored for mod_session_cookie sessions since
the expiry time is loaded when the session is decoded.
A bug exists in the way mod_ssl handled client renegotiations. A remote
attacker could send a carefully crafted request that would cause
mod_ssl to enter a loop leading to a denial of service. This bug can be
only triggered with Apache HTTP Server version 2.4.37 when using
OpenSSL version 1.1.1 or later, due to an interaction in changes to
handling of renegotiation attempts.
An attacker is able to crash the Apache server by sending maliciously-
crafted h2 requests and SSL handshakes. In addition, an attacker is
able to reuse an expired session.
https://httpd.apache.org/security/vulnerabilities_24.html#2.4.38
https://security.archlinux.org/CVE-2018-17189
https://security.archlinux.org/CVE-2018-17199
https://security.archlinux.org/CVE-2019-0190
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
81.9%