Vulnerability Name:

CVE-2018-8011 (CCN-146700)

Assigned:2018-07-18
Published:2018-07-18
Updated:2021-06-06
Summary:By specially crafting HTTP requests, the mod_md challenge handler would dereference a NULL pointer and cause the child process to segfault. This could be used to DoS the server. Fixed in Apache HTTP Server 2.4.34 (Affected 2.4.33).
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-476
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2018-8011

Source: CCN
Type: oss-sec Mailing List, Wed, 18 Jul 2018 09:02:27 +0100
CVE-2018-8011: Apache HTTP Server mod_md DoS

Source: CCN
Type: IBM Security Bulletin 719629 (Rational Build Forge)
Multiple vulnerabilities in Apache Tomcat, Open SSL, and Apache HTTPD affects Rational Build Forge

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1041401

Source: XF
Type: UNKNOWN
apache-http-cve20188011-dos(146700)

Source: CCN
Type: Apache Web site
Apache HTTP Server 2.4 vulnerabilities

Source: CONFIRM
Type: Vendor Advisory
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-8011

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073139 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/json/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1888194 [12/13] - /httpd/site/trunk/content/security/json/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073149 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20180926-0007/

Source: CCN
Type: IBM Security Bulletin 720141 (i)
Vulnerabilities CVE-2018-1333 and CVE-2018-8011 in the IBM i HTTP Server affect IBM i.

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:http_server:2.4.33:*:*:*:*:*:*:*

  • Configuration 2:
  • cpe:/a:netapp:cloud_backup:-:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:apache:http_server:2.4.33:*:*:*:*:*:*:*
  • AND
  • cpe:/o:ibm:i:7.3:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:51571
    P
    Security update for tiff (Important)
    2022-11-28
    oval:org.opensuse.security:def:20188011
    V
    CVE-2018-8011
    2022-09-02
    oval:org.opensuse.security:def:51762
    P
    Security update for java-1_7_1-ibm (Moderate) (in QA)
    2022-01-04
    oval:org.opensuse.security:def:4730
    P
    Security update for the Linux RT Kernel (Important)
    2021-12-10
    oval:org.opensuse.security:def:64613
    P
    Security update for samba (Important)
    2021-11-10
    oval:org.opensuse.security:def:63192
    P
    apache2-2.4.33-3.15.1 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:90027
    P
    apache2-2.4.33-3.15.1 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:103682
    P
    apache2-2.4.33-3.15.1 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:96992
    P
    apache2-2.4.33-3.15.1 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:2103
    P
    apache2-2.4.33-3.15.1 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:71400
    P
    sudo-1.8.22-4.3.3 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:71287
    P
    libnm0-1.10.6-5.3.1 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:51656
    P
    Security update for transfig (Moderate)
    2021-09-16
    oval:org.opensuse.security:def:4751
    P
    Security update for compat-openssl098 (Low)
    2021-09-13
    oval:org.opensuse.security:def:1025
    P
    Security update for fetchmail (Moderate)
    2021-08-20
    oval:org.opensuse.security:def:68047
    P
    Security update for the Linux Kernel (Live Patch 14 for SLE 15 SP1) (Important)
    2021-08-17
    oval:org.opensuse.security:def:47561
    P
    autofs-5.0.9-28.3.5 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47547
    P
    accountsservice-0.6.42-16.3.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48247
    P
    opensc-0.13.0-3.3.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48099
    P
    libcairo-gobject2-1.15.2-25.3.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48007
    P
    flatpak-1.4.2-1.31 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47546
    P
    aaa_base-13.2+git20140911.61c1681-38.8.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47875
    P
    res-signingkeys-3.0.38-52.26.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47682
    P
    libXrandr2-1.5.0-6.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:1547
    P
    Security update for the Linux Kernel (Important)
    2021-08-10
    oval:org.opensuse.security:def:48461
    P
    libQt5WebKit5-5.6.1-9.4 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48774
    P
    gimp-2.8.18-4.7 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48703
    P
    python-devel-2.7.7-2.36 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48672
    P
    gcc48-gij-32bit-4.8.3+r212056-6.3 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48607
    P
    python-libxml2-2.9.4-27.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48545
    P
    libraptor2-0-2.0.10-3.63 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:64700
    P
    Security update for bind (Important)
    2021-06-01
    oval:org.opensuse.security:def:51728
    P
    Security update for openvswitch (Important)
    2021-02-12
    oval:org.opensuse.security:def:51470
    P
    Security update for xen (Important)
    2020-12-07
    oval:org.opensuse.security:def:4092
    P
    mozilla-nspr-devel-4.21-19.9.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:3966
    P
    libcolord-devel-1.3.3-12.13 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:4088
    P
    libzzip-0-13-0.13.67-10.14.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:3954
    P
    libapr-util1-1.5.3-2.8.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:3863
    P
    bsh2-2.0.0.b5-3.2 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:4085
    P
    libzip-devel-0.11.1-13.3.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:3923
    P
    java-1_7_1-ibm-devel-1.7.1_sr4.50-38.41.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:4078
    P
    libwsman-devel-2.4.11-21.8.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:3883
    P
    evolution-devel-3.22.6-19.9.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:4055
    P
    libspice-server-devel-0.12.8-12.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:3871
    P
    cups-ddk-1.7.5-20.23.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:4038
    P
    libptexenc1-1.3.2dev-22.3.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:3982
    P
    libgnomesu-devel-2.0.0-353.6.2 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:50769
    P
    Security update for mutt (Important)
    2020-12-01
    oval:org.opensuse.security:def:53113
    P
    Security update for python-urllib3 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50536
    P
    Security update for ldb (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50403
    P
    Security update for sssd (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49988
    P
    apache2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50381
    P
    Security update for libvirt (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:51200
    P
    Security update for python (Important)
    2020-12-01
    oval:org.opensuse.security:def:67947
    P
    perl-File-Path on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:51837
    P
    Security update for openexr (Low)
    2020-12-01
    oval:org.opensuse.security:def:51036
    P
    Security update for docker (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:53182
    P
    Security update for apache2 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:49934
    P
    389-ds on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50932
    P
    Security update for graphviz (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50380
    P
    Security update for graphviz (Moderate)
    2020-12-01
    oval:com.ubuntu.artful:def:20188011000
    V
    CVE-2018-8011 on Ubuntu 17.10 (artful) - medium.
    2018-07-18
    oval:com.ubuntu.bionic:def:20188011000
    V
    CVE-2018-8011 on Ubuntu 18.04 LTS (bionic) - medium.
    2018-07-18
    oval:com.ubuntu.bionic:def:201880110000000
    V
    CVE-2018-8011 on Ubuntu 18.04 LTS (bionic) - medium.
    2018-07-18
    oval:com.ubuntu.trusty:def:20188011000
    V
    CVE-2018-8011 on Ubuntu 14.04 LTS (trusty) - medium.
    2018-07-18
    oval:com.ubuntu.xenial:def:201880110000000
    V
    CVE-2018-8011 on Ubuntu 16.04 LTS (xenial) - medium.
    2018-07-18
    oval:com.ubuntu.xenial:def:20188011000
    V
    CVE-2018-8011 on Ubuntu 16.04 LTS (xenial) - medium.
    2018-07-18
    BACK
    apache http server 2.4.33
    netapp cloud backup -
    apache http server 2.4.33
    ibm i 7.3