CVE-2016-1546 Information

Description

The Apache HTTP Server 2.4.17 and 2.4.18 when mod_http2 is enabled does not limit the number of simultaneous stream workers for a single HTTP/2 connection which allows remote attackers to cause a denial of service (stream-processing outage) via modified flow-control windows.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Reference

http://httpd.apache.org/security/vulnerabilities_24.html http://svn.apache.org/viewvc?view=revision&revision=1733727 http://www.apache.org/dist/httpd/CHANGES_2.4 http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html http://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.html http://www.securityfocus.com/bid/92331 https://access.redhat.com/errata/RHSA-2017:1161 https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@3Ccvs.httpd.apache.org3E https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@3Ccvs.httpd.apache.org3E https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@3Ccvs.httpd.apache.org3E https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@3Ccvs.httpd.apache.org3E https://security.gentoo.org/glsa/201610-02 https://security.netapp.com/advisory/ntap-20180601-0001/

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

5.9