CVE-2018-17189 — MEDIUM (5.3)

Vulnerability Description

In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

LOW

Affected Products

Vendor	Product	Versions
Apache	Http Server	2.4.17
Netapp	Santricity Cloud Connector	-
Netapp	Storage Automation Store	-
Fedoraproject	Fedora	28
Debian	Debian Linux	9.0
Oracle	Enterprise Manager Ops Center	12.3.3
Oracle	Hospitality Guest Access	4.2.0
Oracle	Instantis Enterprisetrack	17.1
Oracle	Retail Xstore Point Of Service	7.0
Oracle	Sun Zfs Storage Appliance Kit	8.8.6
Canonical	Ubuntu Linux	14.04
Redhat	Jboss Core Services	1.0
Redhat	Enterprise Linux	6.0

Related Weaknesses (CWE)

CWE-400

References

FAQ

What is CVE-2018-17189?

CVE-2018-17189 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up tha...

How severe is CVE-2018-17189?

CVE-2018-17189 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-17189?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Netapp Santricity Cloud Connector, Netapp Storage Automation Store, Fedoraproject Fedora, Debian Debian Linux.