Internet Bug Bounty: DoS for HTTP/2 connections by crafted requests (CVE-2018-1333)

modhttp2 can be tricked by specially crafted requests to hold server resources longer than necessary. A simple demonstration of this for a server with h2c enabled is as follows: for x in seq 0 500; do echo...

CVE-2018-1333

By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 Affected 2.4.18-2.4.30,2.4.33...

[ASA-201807-12] apache: denial of service

Arch Linux Security Advisory ASA-201807-12 ========================================== Severity: Medium Date : 2018-07-20 CVE-ID : CVE-2018-1333 CVE-2018-8011 Package : apache Type : denial of service Remote : Yes Link : https://security.archlinux.org/AVG-736 Summary ======= The package apache...

FreeBSD : Apache httpd -- multiple vulnerabilities (8b1a50ab-8a8e-11e8-add2-b499baebfeaf)

The Apache project reports : - DoS for HTTP/2 connections by crafted requests CVE-2018-1333. By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. low - modmd, DoS via Coredumps on specially crafte...

Apache Httpd < 2.4.35 : DoS for HTTP/2 connections by continuous SETTINGS

By sending continous SETTINGS frames of maximum size an ongoing HTTP/2 connection could be kept busy and would never time out. This can be abused for a DoS on the server. This only affect a server that has enabled the h2 protocol...

Apache httpd -- multiple vulnerabilities

The Apache project reports: DoS for HTTP/2 connections by crafted requests CVE-2018-1333. By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. low modmd, DoS via Coredumps on specially crafted...

Code injection

By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 Affected 2.4.18-2.4.30,2.4.33...

CVE-2018-1333

By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 Affected 2.4.18-2.4.30,2.4.33...

CVE-2018-1333

By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 Affected 2.4.18-2.4.30,2.4.33...

EUVD-2018-11919

By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 Affected 2.4.18-2.4.30,2.4.33...

CVE-2018-1333 DoS for HTTP/2 connections by crafted requests

By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 Affected 2.4.18-2.4.30,2.4.33...

CVE-2018-1333

By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 Affected 2.4.18-2.4.30,2.4.33...

CVE-2018-1333

CVE-2018-1333 affects Apache HTTP Server. By specially crafting HTTP/2 requests, workers could be allocated 60 seconds longer than necessary, causing worker exhaustion and denial of service. Affected versions: 2.4.18–2.4.30 and 2.4.33; fixed in 2.4.34. The vulnerability originates from the HTTP/2...

CVE-2018-1333

By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 Affected 2.4.18-2.4.30,2.4.33...

Security Bulletin: Vulnerabilities in Apache Tomcat affect IBM SONAS (CVE-2017-7674, CVE-2017-7675)

Summary Vulnerabilities in Apache Tomcat affect IBM SONAS CVE-2017-7674, CVE-2017-7675. IBM SONAS has addressed both CVEs. Vulnerability Details Apache Tomcat is used to provide graphical user interface for managing SONAS. The command line interface CLI interface is unaffected by these issues...

CVE-2018-1333

By specially crafting HTTP/2 requests, workers would be allocated 60 seconds longer than necessary, leading to worker exhaustion and a denial of service. Fixed in Apache HTTP Server 2.4.34 Affected 2.4.18-2.4.30,2.4.33...

Security Bulletin: A vulnerability in the Firefox component of the Synthetic Playback agent affects IBM Performance Management products.

Summary Multiple browsers could allow a remote attacker to obtain sensitive information, caused by the failure to consider the role of the TCP congestion window in providing information about content length by the HTTPS protocol or by the HTTP/2 protocol. By visiting a Web site owned by a malicio...

Security Bulletin: Open Source Apache Tomcat Vulnerabilities affect Algo One - Counterparty Credit Risk

Summary Apache Tomcat could allow a remote attacker to bypass security restrictions Vulnerability Details CVE-ID: CVE-2017-5647 DESCRIPTION: Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an error in the processing of pipelined requests in send file. An...

Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo One - Core (CVE-2017-7674, CVE-2017-7675)

Summary Apache Tomcat could provide weaker than expected security, caused by the failure to add an HTTP Vary header CVE-2017-7674. Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by a flaw in the HTTP/2 implementation CVE-2017-7675. Vulnerability Details CVEID:...

Security Bulletin: Vulnerability in Apache Tomcat affects IBM Algo One - Algo Risk Application (CVE-2017-7674, CVE-2017-7675)

Summary Apache Tomcat could provide weaker than expected security, caused by the failure to add an HTTP Vary header CVE-2017-7674. Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by a flaw in the HTTP/2 implementation CVE-2017-7675. Vulnerability Details CVEID:...