CVE-2016-1546

Vulnerability

CVE-2016-1546 is a denial-of-service vulnerability in the Apache HTTP Server versions 2.4.17 and 2.4.18 when the mod_http2 module is enabled [1]. The server does not limit the number of simultaneous stream workers for a single HTTP/2 connection, allowing an attacker to exhaust resources by sending frames with modified flow-control windows.

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by establishing an HTTP/2 connection and sending specially crafted flow-control window updates that cause the server to allocate excessive stream workers. No special privileges or user interaction is required; the attacker only needs network access to the server.

Impact

Successful exploitation leads to a denial-of-service condition where the server's stream-processing capacity is exhausted, preventing legitimate HTTP/2 requests from being processed. This can result in service disruption for all users relying on the affected server.

Mitigation

The vulnerability is fixed in Apache HTTP Server 2.4.19 and later releases [1]. Users should upgrade to version 2.4.19 or newer. Red Hat Enterprise Linux users can apply the fix via RHSA-2017:1161 [3]. Gentoo users are advised to upgrade to >=www-servers/apache-2.4.23 [4]. No workaround is available if upgrading is not possible.