CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.17 to 2.4.37

By sending request bodies in a slow loris way to plain 
resources, the h2 stream for that request unnecessarily
occupied a server thread cleaning up that incoming data.
This affects only HTTP/2 (mod_http2) connections in 
Apache HTTP Server versions 2.4.37 and prior.

All httpd users deploying mod_http2 should upgrade to 2.4.38 or later.

The issue was discovered by Gal Goldshtein of F5 Networks.


Reply via email to