CVE-2018-1303 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2018-1303?

CVE-2018-1303 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-1303?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Debian Debian Linux, Canonical Ubuntu Linux, Netapp Santricity Cloud Connector, Netapp Storage Automation Store.

Vulnerability Description

A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Http Server	<= 2.4.29
Debian	Debian Linux	8.0
Canonical	Ubuntu Linux	14.04
Netapp	Santricity Cloud Connector	-
Netapp	Storage Automation Store	-
Netapp	Storagegrid	-
Netapp	Clustered Data Ontap	-

Related Weaknesses (CWE)

CWE-125

References

http://www.openwall.com/lists/oss-security/2018/03/24/3Mailing ListThird Party Advisory
http://www.securityfocus.com/bid/103522Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1040572Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:3558Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0366Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0367Third Party Advisory
https://httpd.apache.org/security/vulnerabilities_24.htmlVendor Advisory
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cd
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e10
https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda
https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f8
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0

FAQ

What is CVE-2018-1303?

CVE-2018-1303 is a vulnerability with a CVSS score of 7.5 (HIGH). A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be us...

How severe is CVE-2018-1303?

CVE-2018-1303 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-1303?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Debian Debian Linux, Canonical Ubuntu Linux, Netapp Santricity Cloud Connector, Netapp Storage Automation Store.