CVE-2018-11763: mod_http2, DoS via continuous SETTINGS frames

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.17 to 2.4.34

By sending continuous, large SETTINGS frames a client can occupy a
connection, server thread and CPU time without any connection timeout
coming to effect.
This affects only HTTP/2 connections. A possible mitigation is to
not enable the h2 protocol.

All httpd users should upgrade to 2.4.35 or later.

The issue was discovered by Gal Goldshtein of F5 Networks.


Reply via email to