CVE-2016-8740

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.17 through 2.4.23

Description The issue is related to the mod http2 module in the Apache HTTP Server, which does not restrict request-header length when the Protocols configuration includes h2 or h2c. This allows remote attackers to cause a denial of service (memory consumption) via crafted CONTINUATION frames in an HTTP/2 request. The HTTP/2 protocol implementation had an incomplete handling of the LimitRequestFields directive, allowing an attacker to inject unlimited request headers into the server, leading to eventual memory exhaustion.

Recommendations For Apache HTTP Server versions 2.4.17 through 2.4.23, consider disabling the mod http2 module until a patch is available to prevent exploitation. Restrict access to the HTTP/2 protocol to minimize the risk of denial of service attacks. Avoid using the LimitRequestFields directive in the affected HTTP/2 configuration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.