CVE-2018-17189

Impact:
Low
Public Date:
2019-01-22
CWE:
CWE-400
Bugzilla:
1668497: CVE-2018-17189 httpd: mod_http2: DoS via slow, unneeded request bodies

The MITRE CVE dictionary describes this issue as:

In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.

Find out more about CVE-2018-17189 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 4.3
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact Low

Affected Packages State

Platform Package State
Red Hat Virtualization 4 rhvm-appliance Not affected
Red Hat Software Collections for Red Hat Enterprise Linux httpd24-httpd Affected
Red Hat JBoss Web Server 3 httpd Not affected
Red Hat JBoss EWS 2 httpd Not affected
Red Hat JBoss EAP 6 httpd Not affected
Red Hat JBoss EAP 5 httpd Not affected
Red Hat JBoss Core Services 1 httpd Affected
Red Hat Enterprise Linux 8 httpd:2.4/mod_http2 Will not fix
Red Hat Enterprise Linux 8 httpd:2.4/httpd Not affected
Red Hat Enterprise Linux 7 httpd Not affected
Red Hat Enterprise Linux 6 httpd Not affected
Red Hat Enterprise Linux 5 httpd Not affected
Last Modified

CVE description copyright © 2017, The MITRE Corporation