CVE-2018-1302
Published: 26 March 2018
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk.
Notes
Author | Note |
---|---|
mdeslaur | artful and older don't enable http2 in the build. this needs to be fixed by backporting the whole http2 module from a more-recent apache2 |
Priority
Status
Package | Release | Status |
---|---|---|
apache2 Launchpad, Ubuntu, Debian |
upstream |
Released
(2.4.30)
|
trusty |
Not vulnerable
(code not present)
|
|
xenial |
Not vulnerable
(code not built)
|
|
artful |
Not vulnerable
(code not built)
|
|
bionic |
Released
(2.4.29-1ubuntu4.4)
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1822624 (trunk) upstream: http://svn.apache.org/viewvc?view=revision&revision=1823781 (2.4.x) upstream: https://github.com/apache/httpd/commit/1acf5c9fd27cbf166c1f3e9b20e3bcfe8e790e48 (trunk) |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.9 |
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |