← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:117807 · Disclosed 2018-09-25

Apache 2

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a jammed revolving door, not a master key

This maps to CVE-2018-11763 in Apache HTTP Server: by sending continuous oversized HTTP/2 SETTINGS frames, an attacker can keep a connection, a server thread, and CPU time tied up so normal timeout behavior never kicks in. Upstream says it affects Apache HTTP Server 2.4.17 through 2.4.34, and only when the server is actually using the h2/h2c protocol via mod_http2.

Tenable calling this MEDIUM is defensible in a vacuum, but for enterprise patch priority it lands lower. The decisive friction is that this is availability-only, feature-gated by HTTP/2, and not every Apache install even has mod_http2 built or enabled; several distro notes explicitly call out older releases as not affected because HTTP/2 was not enabled in the build. On a real 10,000-host estate, this is mostly an internet-edge web tier hygiene issue, not a fleet-wide emergency.

"Real bug, but narrow reach: only Apache 2.4.17-2.4.34 with HTTP/2 explicitly enabled."
02 · The Attack Path

3 steps from start to impact.

STEP 01

Find an Apache target that actually speaks HTTP/2

The attacker first needs an Apache host in the vulnerable range with mod_http2 active and Protocols h2 or h2c configured. Typical tooling would be curl --http2, nghttp, or h2spec to confirm protocol negotiation rather than trusting a banner alone.
Conditions required:
  • Target is running Apache HTTP Server 2.4.17-2.4.34
  • HTTP/2 support is present (mod_http2 available)
  • HTTP/2 is explicitly enabled in Apache configuration
Where this breaks in practice:
  • HTTP/2 is not automatic; Apache requires explicit Protocols configuration
  • Many enterprise Apache instances are reverse-proxied behind CDN/WAF/LB layers that terminate HTTP/2 before Apache ever sees it
  • Version banners are often hidden or misleading because of distro backports
Detection/coverage: External scanners can usually tell whether HTTP/2 is negotiated, but they cannot reliably prove the vulnerable code path without correlating version, module load, and protocol config.
STEP 02

Hold the connection open with continuous SETTINGS frames

Using an HTTP/2-capable client such as nghttp or a custom PoC, the attacker sends continuous large SETTINGS frames. Per Apache/NVD, this keeps the connection busy and prevents timeout behavior from taking effect, pinning server resources to attacker-controlled sessions.
Conditions required:
  • Unauthenticated network reachability to the vulnerable Apache service
  • Ability to negotiate HTTP/2 to the origin
Where this breaks in practice:
  • Some front-end devices normalize, proxy, or terminate HTTP/2 and prevent the malicious frame stream from reaching Apache
  • Rate-limits, connection caps, and DDoS controls can suppress single-source abuse
Detection/coverage: Good L7 telemetry can show long-lived HTTP/2 sessions with abnormal SETTINGS behavior; many vuln scanners do not safely exercise the DoS condition.
STEP 03

Scale sessions until workers and CPU are exhausted

One sticky session is annoying; many concurrent sessions turn it into service degradation or denial of service. The attacker repeats the frame pattern across multiple connections to consume workers and CPU until legitimate requests queue or fail.
Conditions required:
  • Sufficient concurrency from one or more source IPs
  • Target has finite worker/thread capacity exposed to HTTP/2 traffic
Where this breaks in practice:
  • CDN, WAF, reverse proxy, or upstream load balancer may absorb or shed abusive traffic first
  • Horizontal scaling reduces single-node impact, though it does not remove the bug
  • Enterprise DDoS protections often trigger before complete outage from a lone host
Detection/coverage: Monitor for spikes in HTTP/2 connections, rising busy workers, elevated CPU, and long-lived sessions. Nessus plugin 117807 is a version-based indicator, not proof that exploitation succeeded.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo authoritative active-exploitation signal found from CISA KEV, and I found no primary-source campaign reporting tied to this CVE. Treat it as *exploitable* but not *currently hunted*.
KEV statusNot listed in the CISA Known Exploited Vulnerabilities catalog.
PoC availabilityPublic exploit discussion exists and secondary aggregators report multiple GitHub PoCs for this bug class, but this is still DoS tooling, not weaponized RCE.
EPSSSearch-indexed EPSS data shows roughly 0.92% probability / ~81st percentile. That's not nothing, but it's far from a panic signal.
CVSS vectorCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H = remote and unauthenticated, but high attack complexity and availability-only.
Affected versionsUpstream/NVD: Apache HTTP Server 2.4.17 through 2.4.34. Apache also states it only affects servers with the h2 protocol enabled.
Fixed versionsUpstream fix is Apache 2.4.35. Distro backports exist: Debian fixed stretch in 2.4.25-3+deb9u6; Ubuntu fixed 18.04 LTS in 2.4.29-1ubuntu4.4; Red Hat shipped fixes in RHSA-2019:0367 for JBoss Core Services Apache HTTP Server 2.4.29.
Exposure realityReachable population is much smaller than raw Apache counts because the bug requires origin-side HTTP/2. If your CDN/WAF/LB terminates HTTP/2 upstream and speaks HTTP/1.1 to Apache, this path dies there.
Disclosure and researcherIssue public 2018-09-25; Apache lists the discoverer as Gal Goldshtein of F5 Networks.
Scanner nuanceNessus plugin 117807 is a version-based remote check. Expect noise on distros with backports or on hosts where Apache is in-range but HTTP/2 is not enabled.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (3.6/10)

The single biggest downgrade factor is feature gating: exploitation only matters when vulnerable Apache is actually handling HTTP/2 traffic at the origin. That sharply cuts exposed population, and the impact is limited to availability degradation, not code execution or data loss.

HIGH Affected-version and fix-range mapping
HIGH HTTP/2 enablement as the decisive friction point
MEDIUM Exploit prevalence and public PoC count

Why this verdict

  • Downward pressure: requires origin-side HTTP/2 — Apache says the bug only affects servers with h2 enabled, and Apache requires explicit Protocols configuration for HTTP/2.
  • Downward pressure: narrow real-world exposure — internal-only Apache, reverse-proxied Apache, and HTTP/1.1-only backends are out of scope even if the version string looks vulnerable.
  • Downward pressure: availability-only impact — this is a worker/CPU exhaustion DoS, not auth bypass, data theft, or RCE.
  • Baseline kept above IGNORE — it is still unauthenticated network-reachable on exposed sites and can cause customer-visible outage if enough sessions are sustained.
  • More downward pressure: no KEV / no strong current campaign evidence — absent exploitation evidence matters when deciding what jumps the patch queue.

Why not higher?

If this were broadly reachable across default installs, or if there were reliable evidence of active exploitation, it could sit in MEDIUM. But requiring HTTP/2 at the Apache origin is a real deployment filter, and many enterprises terminate HTTP/2 upstream on a proxy/CDN where this Apache-specific path never lands.

Why not lower?

I would not mark it IGNORE because a directly exposed Apache edge node with HTTP/2 enabled can still be knocked over by an unauthenticated attacker. For customer-facing estates, even availability-only bugs deserve tracking when they are remotely triggerable.

05 · Compensating Control

What to do — in priority order.

  1. Disable HTTP/2 where you do not need it — Remove h2/h2c from the Apache Protocols directive or unload mod_http2 on affected hosts that do not require origin-side HTTP/2. For a LOW verdict there is no SLA, so treat this as backlog hygiene unless the host is a business-critical public edge, where it is still a smart hardening move.
  2. Terminate HTTP/2 upstream — If you already run a CDN, reverse proxy, or load balancer, prefer terminating HTTP/2 there and speaking HTTP/1.1 to legacy Apache backends. This removes the vulnerable protocol path without waiting on an origin refresh; for LOW, do it during normal change windows.
  3. Enforce connection and rate controls — Use WAF/LB/CDN connection caps, per-IP rate limits, and HTTP/2 abuse protections to make sustained SETTINGS-frame abuse harder to scale. This is mitigation only, not a fix, and for LOW it belongs in routine tuning rather than emergency change.
  4. Validate distro backports before opening tickets — Check package advisory status on Debian/Ubuntu/RHEL/SUSE before forcing upgrades just because a remote banner says < 2.4.35. For LOW, avoid wasting patch cycles on false positives caused by backported fixes.
What doesn't work
  • Simply hiding the Server banner doesn't help; the attack does not require version disclosure once a vulnerable HTTP/2 service is found.
  • MFA, SSO, and login hardening don't matter here; the attack is unauthenticated and hits the web server protocol layer.
  • Host EDR is not the primary stop-control; this is protocol abuse causing resource exhaustion, not a payload dropped onto disk.
06 · Verification

Crowdsourced verification payload.

Run this on the target Apache host as a user that can execute apachectl/httpd and read Apache config, ideally root or with sudo. Save as check_cve_2018_11763.sh and run sudo bash check_cve_2018_11763.sh /etc/httpd /etc/apache2; it checks the local Apache version, whether http2_module is loaded, and whether any config enables Protocols ... h2|h2c.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_cve_2018_11763.sh
# Detect likely exposure to CVE-2018-11763 on Apache HTTP Server.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

CONFIG_PATHS=("${@}")
if [ ${#CONFIG_PATHS[@]} -eq 0 ]; then
  CONFIG_PATHS=(/etc/httpd /etc/apache2 /usr/local/etc/apache2)
fi

APACHECTL=""
for c in apachectl apache2ctl httpd; do
  if command -v "$c" >/dev/null 2>&1; then
    APACHECTL="$c"
    break
  fi
done

if [ -z "$APACHECTL" ]; then
  echo "UNKNOWN - apachectl/apache2ctl/httpd not found"
  exit 2
fi

get_version() {
  "$APACHECTL" -v 2>/dev/null | awk -F'[:/ ]+' '/Server version|Server built/ {for(i=1;i<=NF;i++) if($i ~ /^[0-9]+\.[0-9]+\.[0-9]+$/){print $i; exit}}'
}

ver_to_int() {
  local IFS=.
  local a b c
  read -r a b c <<< "$1"
  printf "%03d%03d%03d\n" "${a:-0}" "${b:-0}" "${c:-0}"
}

VERSION="$(get_version)"
if [ -z "$VERSION" ]; then
  echo "UNKNOWN - could not determine Apache version"
  exit 2
fi

VINT="$(ver_to_int "$VERSION")"
LOW="$(ver_to_int "2.4.17")"
HIGH="$(ver_to_int "2.4.34")"
FIXED="$(ver_to_int "2.4.35")"

# Check whether mod_http2 is loaded.
MODULES="$($APACHECTL -M 2>/dev/null || true)"
HTTP2_LOADED=0
if printf '%s\n' "$MODULES" | grep -Eq '(^| )http2_module( |$)'; then
  HTTP2_LOADED=1
fi

# Search config for explicit Protocols enabling h2 or h2c.
HTTP2_ENABLED=0
SEARCH_HIT=""
for p in "${CONFIG_PATHS[@]}"; do
  if [ -e "$p" ]; then
    hit=$(grep -RIsnE '^\s*Protocols\s+.*\b(h2|h2c)\b' "$p" 2>/dev/null | head -n 1 || true)
    if [ -n "$hit" ]; then
      HTTP2_ENABLED=1
      SEARCH_HIT="$hit"
      break
    fi
  fi
done

# Backport caveat: package builds may be fixed while version remains < 2.4.35.
# If version is in range and HTTP/2 is enabled, report VULNERABLE-LIKELY.
if [ "$VINT" -lt "$LOW" ]; then
  echo "PATCHED - Apache $VERSION is older than 2.4.17; upstream says vulnerable code path starts at 2.4.17"
  exit 0
fi

if [ "$VINT" -ge "$FIXED" ]; then
  echo "PATCHED - Apache $VERSION is >= 2.4.35"
  exit 0
fi

if [ "$VINT" -ge "$LOW" ] && [ "$VINT" -le "$HIGH" ]; then
  if [ "$HTTP2_LOADED" -eq 1 ] && [ "$HTTP2_ENABLED" -eq 1 ]; then
    echo "VULNERABLE - Apache $VERSION is in the affected range, http2_module is loaded, and HTTP/2 appears enabled: $SEARCH_HIT"
    exit 1
  fi
  if [ "$HTTP2_LOADED" -eq 0 ] || [ "$HTTP2_ENABLED" -eq 0 ]; then
    echo "UNKNOWN - Apache $VERSION is in the affected range but HTTP/2 is not confirmed active (module_loaded=$HTTP2_LOADED, protocols_enabled=$HTTP2_ENABLED). Verify distro backports and runtime path."
    exit 2
  fi
fi

echo "UNKNOWN - unable to reach a confident verdict for Apache $VERSION"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: do not let this jump ahead of RCEs or KEV-listed web edge bugs. First, validate whether each finding is a real exposure by confirming HTTP/2 is enabled at the Apache origin and not just reported from a banner; if the host is public-facing and business-critical, disable h2/h2c or terminate HTTP/2 upstream during the next normal change window. Because this is a LOW verdict, there is no noisgate mitigation SLA and noisgate remediation SLA is no SLA (treat as backlog hygiene)—in practice, document false positives from distro backports, suppress non-exposed instances, and roll true exposed stragglers into routine web-tier lifecycle cleanup rather than emergency patching.

Sources

  1. Tenable plugin 117807
  2. Apache HTTP Server 2.4 vulnerability list
  3. NVD CVE-2018-11763
  4. Apache mod_http2 documentation
  5. Apache HTTP/2 guide
  6. Debian tracker CVE-2018-11763
  7. Ubuntu CVE page
  8. Red Hat RHSA-2019:0367
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.