Apache HTTP/2 Denial of Service Vulnerability

HIGH (10.0) No Patch (9602 days)
apachedenial-of-servicehttp2httpdvulnerability

Threat Intelligence

⚠️ CRITICAL GAP - Exploits exist but no detection available
EPSS Score: 5.02% chance of exploitation (percentile: 89%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: Exploit-DB

How we test →

What is it?

The Apache HTTP/2 protocol is a modern HTTP/1.1 replacement that allows for more efficient and secure communication between servers and clients. However, this vulnerability allows remote attackers to conduct a denial of service by sending a large number of MIME headers.

Am I affected?

You're affected if you use Apache HTTP Server version 2.4.10 or earlier (not specified in the advisory). Check with: grep "HTTP/2" /etc/apache2/httpd.conf or find / -name "httpd*.conf" to verify your server configuration.

Affected Products

Apache Software Foundation / Apache HTTP Server

How to fix

  1. Upgrade to Apache HTTP Server version 2.4.11 or later from the official Apache website: https://www.apache.org/dist/httpd/source/2.4.11.tar.gz
  2. Alternatively, you can apply a patch by applying the following patch to your httpd.conf file:
# Apply the patch to your httpd.conf file
sed -i '/^#LoadModule http2\/module/ { s/.*$/ #LoadModule http2\/module / }' /etc/apache2/httpd.conf

References