BSA-2019-755
21442
07 February 2019
07 February 2019
Closed
Low
N/A
No
CVE-2019-0190, CVE-2018-17199, CVE-2018-17189
Summary
Apache 2.4 vulnerabilities in Brocade Fibre Channel Products from Broadcom
Multiple Brocade Fibre Channel technology products from Broadcom incorporate Apache httpd 2.4 librairies. Apache released in January 2019, a list of CVE fixed in Apached http 2.4.38.
CVE-2019-0190 - Risk Impact: None - mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully
crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts. CVSS v3: 6.5
CVE-2018-17199 - Risk Impact: None - mod_session_cookie does not respect expiry time
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before
decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions
since the expiry time is loaded when the session is decoded. CVSS v3: 4.3
CVE-2018-17189 - Risk Impact: None - DoS for HTTP/2 connections via slow request bodies.
By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. CVSS v3: 4.3
More information can be found at:
https://httpd.apache.org/security/vulnerabilities_24.html
Affected Products
No Brocade Fibre Channel technology products from Broadcom are currently known to be affected by these vulnerabilities.
Revision History
Security Advisory ID : BSA-2019-755
Component : Apache
Revision : 1.0: Final
Apache 2.4 vulnerabilities in Brocade Fibre Channel Products from Broadcom
Multiple Brocade Fibre Channel technology products from Broadcom incorporate Apache httpd 2.4 librairies. Apache released in January 2019, a list of CVE fixed in Apached http 2.4.38.
CVE-2019-0190 - Risk Impact: None - mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully
crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts. CVSS v3: 6.5
CVE-2018-17199 - Risk Impact: None - mod_session_cookie does not respect expiry time
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before
decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions
since the expiry time is loaded when the session is decoded. CVSS v3: 4.3
CVE-2018-17189 - Risk Impact: None - DoS for HTTP/2 connections via slow request bodies.
By sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. CVSS v3: 4.3
More information can be found at:
https://httpd.apache.org/security/vulnerabilities_24.html
Affected Products
No Brocade Fibre Channel technology products from Broadcom are currently known to be affected by these vulnerabilities.
Revision History
| Version | Change | Date |
|---|---|---|
| 1.0 | Initial Publication | February 7, 2019 |