Skip to content

CVE 2016 1546

Jump to bottom Edit New page
kayladavis edited this page Dec 18, 2016 · 3 revisions

#CVE-2016-1546 The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service (stream-processing outage) via modified flow-control windows.

Announced: 2014-10-06

  1. The fix commit for the vulnerability (a git hash):

  2. The commit that introduced the vulnerability (a git hash):

    • It's possible that this might have been the commit but it is unclear, a919aab3da5006470f7ae613bee6d0c2c35707e8. There's a chance that this vulnerability might have been in the code from the initial creation of the http2 module.

  3. A description of the coding mistake that led to the vulnerability:

    • Clients are able to block server threads, causing worker thread starvation which results in a DOS.
    • The fix was restricting number of concurrent stream workers per connection if client is slow.
    • If the developers throttled burst connections it wouldn’t have been a problem

  4. Who found it?

  5. Who fixed it, was it the same person?

  6. Is this code tested by automated tests?

    • There were no tests found in the httpd2 module

  7. Read the discussions about the code between introduction and fix

  8. Was there a bounty awarded?

    • No

  9. Evidence of exploit

    • No evidence found.

  10. Any mention of how it was found? Fuzzer? Manual?

    • No found mention, probably manual

  11. Any other interesting facts about this vulnerability that you would tell someone

Add a custom footer
Add a custom sidebar

Clone this wiki locally