CVE-2018-11763
First published: Tue Sep 25 2018(Updated: )
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache HTTP server | >=2.4.17<=2.4.34 | |
| Canonical Ubuntu Linux | =18.04 | |
| Redhat Enterprise Linux | =6.0 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =7.4 | |
| Redhat Enterprise Linux | =7.5 | |
| Redhat Enterprise Linux | =7.6 | |
| Oracle Enterprise Manager Ops Center | =12.3.3 | |
| Oracle Hospitality Guest Access | =4.2.0 | |
| Oracle Hospitality Guest Access | =4.2.1 | |
| Oracle Instantis Enterprisetrack | =17.1 | |
| Oracle Instantis Enterprisetrack | =17.2 | |
| Oracle Instantis Enterprisetrack | =17.3 | |
| Oracle Retail Xstore Point of Service | =7.0 | |
| Oracle Retail Xstore Point of Service | =7.1 | |
| Oracle Secure Global Desktop | =5.4 | |
| Netapp Storage Automation Store | ||
| redhat/httpd | <2.4.35 | 2.4.35 |
| redhat/mod_http2 | <1.11.0 | 1.11.0 |
| debian/apache2 | 2.4.62-1~deb11u1 2.4.61-1~deb11u1 2.4.62-1~deb12u1 2.4.61-1~deb12u1 2.4.62-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00030.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00056.html
- http://www.securityfocus.com/bid/105414
- http://www.securitytracker.com/id/1041713
- https://access.redhat.com/errata/RHSA-2018:3558
- https://access.redhat.com/errata/RHSA-2019:0366
- https://access.redhat.com/errata/RHSA-2019:0367
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770@%3Ccvs.httpd.apache.org%3E
- https://security.netapp.com/advisory/ntap-20190204-0004/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us
- https://usn.ubuntu.com/3783-1/
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
- https://www.tenable.com/security/tns-2019-09
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03909en_us
- https://launchpad.net/bugs/cve/CVE-2018-11763
- https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r15f9aa4427581a1aecb4063f1b4b983511ae1c9935e2a0a6876dad3c%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r6521a7f62276340eabdb3339b2aa9a38c5f59d978497a1f794af53be%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rfcf929bd33a6833e3f0c35eebdad70d5060665f9c4e17ea467c66770%40%3Ccvs.httpd.apache.org%3E
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1633400
- https://svn.apache.org/r1840010
- https://svn.apache.org/r1840757
- https://github.com/icing/mod_h2/commit/5e75e5685dd043fe93a5a08a15edd087a43f6968
- https://bugzilla.redhat.com/show_bug.cgi?id=1633399
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-11763
- https://security-tracker.debian.org/tracker/CVE-2018-11763
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11763
- https://nvd.nist.gov/vuln/detail/CVE-2018-11763
- https://ubuntu.com/security/CVE-2018-11763
Frequently Asked Questions
What is the severity of CVE-2018-11763?
The severity of CVE-2018-11763 is medium (5.9).
How does CVE-2018-11763 affect Apache HTTP Server?
CVE-2018-11763 affects Apache HTTP Server versions 2.4.17 to 2.4.34.
What is the possible mitigation for CVE-2018-11763?
A possible mitigation for CVE-2018-11763 is to not enable the h2 protocol.
Which software versions are affected by CVE-2018-11763?
CVE-2018-11763 affects Apache HTTP Server versions 2.4.17 to 2.4.34, mod_http2 version up to 1.11.0, and some versions of Redhat Enterprise Linux, Canonical Ubuntu Linux, Oracle Enterprise Manager Ops Center, Oracle Hospitality Guest Access, Oracle Instantis Enterprisetrack, Oracle Retail Xstore Point of Service, Oracle Secure Global Desktop, and Netapp Storage Automation Store.
How do I fix CVE-2018-11763?
To fix CVE-2018-11763, update Apache HTTP Server to version 2.4.35 or higher.
- collector/nvd-index
- agent/type
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2018-11763
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/references
- agent/softwarecombine
- agent/tags
- agent/first-publish-date
- agent/description
- agent/event
- collector/security-tracker-debian
- source/Debian
- vendor/apache
- canonical/apache http server
- version/apache http server/2.4.17
- version/apache http server/2.4.34
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/18.04
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/6.0
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/7.4
- version/redhat enterprise linux/7.5
- version/redhat enterprise linux/7.6
- vendor/oracle
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.3.3
- canonical/oracle hospitality guest access
- version/oracle hospitality guest access/4.2.0
- version/oracle hospitality guest access/4.2.1
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.2
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle retail xstore point of service
- version/oracle retail xstore point of service/7.0
- version/oracle retail xstore point of service/7.1
- canonical/oracle secure global desktop
- version/oracle secure global desktop/5.4
- vendor/netapp
- canonical/netapp storage automation store
- package-manager/redhat
- package-manager/debian