Description

The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.

References

• BID-94650
• GENTOO-GLSA-201701-36
• NVD-CVE-2016-8740
• SECTRACK-1037388

Solution

Related Vulnerabilities

• SUSE: CVE-2016-8740: SUSE Linux Security Advisory
• HP-UX: CVE-2016-8740: HPE HP-UX Web Server Suite running Apache, Multiple Vulnerabilities
• Gentoo Linux: CVE-2016-8740: Apache: Multiple vulnerabilities
• Alpine Linux: CVE-2016-8740: apache2 Multiple vulnerabilities
• OS X update for apache (CVE-2016-8740)
• Oracle Solaris 11: CVE-2016-8740: Vulnerability in Apache HTTP server
• Apache HTTPD: HTTP/2 CONTINUATION denial of service (CVE-2016-8740)