Published:2016/09/15  Last Updated:2016/09/15

JVN#94779084
H2O use of externally-controlled format string

Overview

H2O uses externally-controlled format strings.

Products Affected

  • H2O version 2.0.3 and earlier
  • H2O version 2.1.0-beta2 and earlier

Description

H2O is an open source web server software. H2O uses externally-controlled format strings (CWE-134) in the code which output error logs.

Impact

An unauthenticated remote attacker may cause a denial-of-service (DoS) condition.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Vendor Status

Vendor Link
Kazuho Oku H2O Issues - GitHub

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score: 3.7
CVSS v2 AV:N/AC:M/Au:N/C:N/I:N/A:P
Base Score: 4.3

Credit

Kazuho Oku reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and Kazuho Oku coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2016-4864
JVN iPedia JVNDB-2016-000159