ID

VAR-201807-2071


CVE

CVE-2018-8011


TITLE

Apache HTTP Server In NULL Pointer dereference vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2018-008181

DESCRIPTION

By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.33). The server is fast, reliable and extensible through a simple API. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] httpd (SSA:2018-199-01) New httpd packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--------------------------+ patches/packages/httpd-2.4.34-i586-1_slack14.2.txz: Upgraded. This update fixes two denial of service issues: mod_md: DoS via Coredumps on specially crafted requests mod_http2: DoS for HTTP/2 connections by specially crafted requests For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8011 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1333 (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/httpd-2.4.34-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/httpd-2.4.34-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/httpd-2.4.34-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/httpd-2.4.34-x86_64-1_slack14.1.txz Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/httpd-2.4.34-i586-1_slack14.2.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/httpd-2.4.34-x86_64-1_slack14.2.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/httpd-2.4.34-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/httpd-2.4.34-x86_64-1.txz MD5 signatures: +-------------+ Slackware 14.0 package: 91123a66731b7803ebac0f55e3099e81 httpd-2.4.34-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 49c0a8ae83d724da460b73a78ddf1dda httpd-2.4.34-x86_64-1_slack14.0.txz Slackware 14.1 package: d695afcd996b00f7dbe00c89bf1c0ee1 httpd-2.4.34-i486-1_slack14.1.txz Slackware x86_64 14.1 package: 8ebc97729250d80d319174ff64ca2921 httpd-2.4.34-x86_64-1_slack14.1.txz Slackware 14.2 package: 149a610e5280fcfbbe1066fa9cfeb970 httpd-2.4.34-i586-1_slack14.2.txz Slackware x86_64 14.2 package: 7a35ce525340631b74e8ffe9e58f2b4c httpd-2.4.34-x86_64-1_slack14.2.txz Slackware -current package: d95348a370dd9c2edc92c6f2274b8ce2 n/httpd-2.4.34-i586-1.txz Slackware x86_64 -current package: daea307cb655b015c4bafcbec6ba9869 n/httpd-2.4.34-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg httpd-2.4.34-i586-1_slack14.2.txz Then, restart Apache httpd: # /etc/rc.d/rc.httpd stop # /etc/rc.d/rc.httpd start +-----+ Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com +------------------------------------------------------------------------+ | To leave the slackware-security mailing list: | +------------------------------------------------------------------------+ | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | | | unsubscribe slackware-security | | | | You will get a confirmation message back containing instructions to | | complete the process. Please do not reply to this email address. | +------------------------------------------------------------------------+ -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAltPwl8ACgkQakRjwEAQIjM2gACdFx/ujiL+fhuVlaiEFb30V3G4 a2EAn3DP5XwN0g9OQlrQ+shbkmVYyFHh =zaoO -----END PGP SIGNATURE-----

Trust: 2.34

sources: NVD: CVE-2018-8011 // JVNDB: JVNDB-2018-008181 // CNVD: CNVD-2022-09234 // VULMON: CVE-2018-8011 // PACKETSTORM: 148615

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2022-09234

AFFECTED PRODUCTS

vendor:apachemodel:http serverscope:eqversion:2.4.33

Trust: 2.4

vendor:netappmodel:cloud backupscope:eqversion: -

Trust: 1.0

vendor:apachemodel:httpdscope:eqversion:2.4.33

Trust: 0.6

sources: CNVD: CNVD-2022-09234 // JVNDB: JVNDB-2018-008181 // CNNVD: CNNVD-201807-1324 // NVD: CVE-2018-8011

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-8011
value: HIGH

Trust: 1.0

NVD: CVE-2018-8011
value: HIGH

Trust: 0.8

CNVD: CNVD-2022-09234
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201807-1324
value: HIGH

Trust: 0.6

VULMON: CVE-2018-8011
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2018-8011
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2022-09234
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2018-8011
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2022-09234 // VULMON: CVE-2018-8011 // JVNDB: JVNDB-2018-008181 // CNNVD: CNNVD-201807-1324 // NVD: CVE-2018-8011

PROBLEMTYPE DATA

problemtype:CWE-476

Trust: 1.8

sources: JVNDB: JVNDB-2018-008181 // NVD: CVE-2018-8011

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201807-1324

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-201807-1324

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-008181

PATCH

title:moderate: mod_md, DoS via Coredumps on specially crafted requests (CVE-2018-8011)url:https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-8011

Trust: 0.8

title:Patch for Apache HTTP Server mod_md Denial of Service Vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/318211

Trust: 0.6

title:Apache HTTP Server Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=84107

Trust: 0.6

title:Debian CVElist Bug Report Logs: apache2: CVE-2018-1333: DoS for HTTP/2 connections by crafted requestsurl:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=6b0c6c19aa8bba59bec7bdb98a8dde6d

Trust: 0.1

title:Debian CVElist Bug Report Logs: apache2: CVE-2018-8011: mod_md, DoS via Coredumps on specially crafted requestsurl:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=9de45dc43deffd8b5a3e92a4095764b5

Trust: 0.1

title:Amazon Linux AMI: ALAS-2018-1062url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2018-1062

Trust: 0.1

title:Red Hat: CVE-2018-8011url:https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2018-8011

Trust: 0.1

title:Arch Linux Issues: url:https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2018-8011

Trust: 0.1

title:Arch Linux Advisories: [ASA-201807-12] apache: denial of serviceurl:https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories&qid=ASA-201807-12

Trust: 0.1

title:Amazon Linux 2: ALAS2-2018-1062url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2018-1062

Trust: 0.1

title:Symantec Security Advisories: Apache HTTP Server Vulnerabilities Jul 2017 - Sep 2018url:https://vulmon.com/vendoradvisory?qidtp=symantec_security_advisories&qid=d2f801f4ee4b743c8db2cea35625dd16

Trust: 0.1

title:Oracle Solaris Third Party Bulletins: Oracle Solaris Third Party Bulletin - July 2018url:https://vulmon.com/vendoradvisory?qidtp=oracle_solaris_third_party_bulletins&qid=586e6062440cdd312211d748e028164e

Trust: 0.1

sources: CNVD: CNVD-2022-09234 // VULMON: CVE-2018-8011 // JVNDB: JVNDB-2018-008181 // CNNVD: CNNVD-201807-1324

EXTERNAL IDS

db:NVDid:CVE-2018-8011

Trust: 3.2

db:SECTRACKid:1041401

Trust: 1.7

db:JVNDBid:JVNDB-2018-008181

Trust: 0.8

db:CNVDid:CNVD-2022-09234

Trust: 0.6

db:AUSCERTid:ESB-2020.4295

Trust: 0.6

db:CNNVDid:CNNVD-201807-1324

Trust: 0.6

db:VULMONid:CVE-2018-8011

Trust: 0.1

db:PACKETSTORMid:148615

Trust: 0.1

sources: CNVD: CNVD-2022-09234 // VULMON: CVE-2018-8011 // JVNDB: JVNDB-2018-008181 // PACKETSTORM: 148615 // CNNVD: CNNVD-201807-1324 // NVD: CVE-2018-8011

REFERENCES

url:http://www.securitytracker.com/id/1041401

Trust: 1.7

url:https://security.netapp.com/advisory/ntap-20180926-0007/

Trust: 1.7

url:https://nvd.nist.gov/vuln/detail/cve-2018-8011

Trust: 1.5

url:https://httpd.apache.org/security/vulnerabilities_24.html#cve-2018-8011

Trust: 1.1

url:https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3ccvs.httpd.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3ccvs.httpd.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3ccvs.httpd.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3ccvs.httpd.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3ccvs.httpd.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3ccvs.httpd.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3ccvs.httpd.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3ccvs.httpd.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538%40%3ccvs.httpd.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3ccvs.httpd.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9%40%3ccvs.httpd.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3ccvs.httpd.apache.org%3e

Trust: 1.0

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-8011

Trust: 0.9

url:httpd.apache.org%3e

Trust: 0.6

url:https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9@%3ccvs.

Trust: 0.6

url:httpd.apache.org/security/vulnerabilities_24.html#cve-2018-8011

Trust: 0.6

url:https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538@%3ccvs.

Trust: 0.6

url:https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3ccvs.

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.4295/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/476.html

Trust: 0.1

url:https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9@%3ccvs.httpd.apache.org%3e

Trust: 0.1

url:https://tools.cisco.com/security/center/viewalert.x?alertid=58444

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:http://slackware.com

Trust: 0.1

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-1333

Trust: 0.1

url:http://osuosl.org)

Trust: 0.1

url:http://slackware.com/gpg-key

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-1333

Trust: 0.1

sources: CNVD: CNVD-2022-09234 // VULMON: CVE-2018-8011 // JVNDB: JVNDB-2018-008181 // PACKETSTORM: 148615 // CNNVD: CNNVD-201807-1324 // NVD: CVE-2018-8011

CREDITS

Slackware Security Team

Trust: 0.1

sources: PACKETSTORM: 148615

SOURCES

db:CNVDid:CNVD-2022-09234
db:VULMONid:CVE-2018-8011
db:JVNDBid:JVNDB-2018-008181
db:PACKETSTORMid:148615
db:CNNVDid:CNNVD-201807-1324
db:NVDid:CVE-2018-8011

LAST UPDATE DATE

2024-08-14T12:14:27.731000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2022-09234date:2022-02-10T00:00:00
db:VULMONid:CVE-2018-8011date:2021-06-06T00:00:00
db:JVNDBid:JVNDB-2018-008181date:2018-10-10T00:00:00
db:CNNVDid:CNNVD-201807-1324date:2021-06-07T00:00:00
db:NVDid:CVE-2018-8011date:2023-11-07T03:01:20.857

SOURCES RELEASE DATE

db:CNVDid:CNVD-2022-09234date:2022-02-09T00:00:00
db:VULMONid:CVE-2018-8011date:2018-07-18T00:00:00
db:JVNDBid:JVNDB-2018-008181date:2018-10-10T00:00:00
db:PACKETSTORMid:148615date:2018-07-19T15:52:29
db:CNNVDid:CNNVD-201807-1324date:2018-07-19T00:00:00
db:NVDid:CVE-2018-8011date:2018-07-18T14:29:00.307