Apache HTTP Server Continuous SETTINGS Frames Denial of Service VulnerabilitySeptember 27, 2018 am30 2:21 am

A vulnerability in Apache HTTP Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.

The vulnerability exists because the affected software improperly processes maximum-size SETTINGS frames for an ongoing HTTP/2 connection. An attacker could exploit this vulnerability by sending continuous SETTINGS frames that submit malicious input during an ongoing HTTP/2 connection on the targeted system. A successful exploit could cause the HTTP/2 connection on the system to fail to timeout, resulting in a DoS condition.

Apache confirmed the vulnerability and released software updates.

Security Impact Rating: Low

CVE: CVE-2018-11763

%d bloggers like this: