{
  "threat_severity" : "Low",
  "public_date" : "2016-12-04T00:00:00Z",
  "bugzilla" : {
    "description" : "httpd: Incomplete handling of LimitRequestFields directive in mod_http2",
    "id" : "1401528",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1401528"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:N/A:P",
    "status" : "verified"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.9",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-20->CWE-770",
  "details" : [ "The mod_http2 module in the Apache HTTP Server 2.4.17 through 2.4.23, when the Protocols configuration includes h2 or h2c, does not restrict request-header length, which allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request.", "A vulnerability was found in httpd's handling of the LimitRequestFields directive in mod_http2, affecting servers with HTTP/2 enabled. An attacker could send crafted requests with headers larger than the server's available memory, causing httpd to crash." ],
  "statement" : "Red Hat Product Security has rated this issue as having Low security\nimpact. This issue is not currently planned to be addressed in future\nupdates. For additional information, refer to the Issue Severity\nClassification: https://access.redhat.com/security/updates/classification/.",
  "affected_release" : [ {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2017-06-07T00:00:00Z",
    "advisory" : "RHSA-2017:1414",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-httpd-0:2.4.23-120.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2017-06-07T00:00:00Z",
    "advisory" : "RHSA-2017:1414",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-mod_security-0:2.9.1-19.GA.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 6",
    "release_date" : "2017-06-07T00:00:00Z",
    "advisory" : "RHSA-2017:1414",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6",
    "package" : "jbcs-httpd24-openssl-1:1.0.2h-13.jbcs.el6"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2017-06-07T00:00:00Z",
    "advisory" : "RHSA-2017:1413",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-httpd-0:2.4.23-120.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2017-06-07T00:00:00Z",
    "advisory" : "RHSA-2017:1413",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_security-0:2.9.1-19.GA.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2017-06-07T00:00:00Z",
    "advisory" : "RHSA-2017:1413",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-openssl-1:1.0.2h-13.jbcs.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2017-04-26T00:00:00Z",
    "advisory" : "RHSA-2017:1161",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "httpd24-httpd-0:2.4.25-9.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS",
    "release_date" : "2017-04-26T00:00:00Z",
    "advisory" : "RHSA-2017:1161",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6",
    "package" : "httpd24-httpd-0:2.4.25-9.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2017-04-26T00:00:00Z",
    "advisory" : "RHSA-2017:1161",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "httpd24-httpd-0:2.4.25-9.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS",
    "release_date" : "2017-04-26T00:00:00Z",
    "advisory" : "RHSA-2017:1161",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7",
    "package" : "httpd24-httpd-0:2.4.25-9.el7"
  }, {
    "product_name" : "Text-Only JBCS",
    "release_date" : "2017-06-07T00:00:00Z",
    "advisory" : "RHSA-2017:1415",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Directory Server 8",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/a:redhat:directory_server:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 5",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Not affected",
    "package_name" : "httpd22",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 1",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2",
    "fix_state" : "Not affected",
    "package_name" : "httpd22",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3",
    "fix_state" : "Not affected",
    "package_name" : "httpd24",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-8740\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-8740\nhttp://seclists.org/bugtraq/2016/Dec/3\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ],
  "name" : "CVE-2016-8740",
  "mitigation" : {
    "value" : "As a temporary workaround - HTTP/2 can be disabled by changing\nthe configuration by removing h2 and h2c from the Protocols\nline(s) in the configuration file. \nThe resulting line should read:\nProtocols http/1.1",
    "lang" : "en:us"
  },
  "csaw" : false
}