Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALAS2-2020-1493

Related Vulnerabilities: CVE-2020-11993   CVE-2020-9490  

Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers. A flaw was found in Apache httpd in versions prior to 2.4.46. A specially crafted Cache-Digest header triggers negative argument to memmove() that could lead to a crash and denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-9490) Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers. A flaw was found in Apache httpd in versions 2.4.20 to 2.4.43. Logging using the wrong pool by mod_http2 at debug/trace log level may lead to potential crashes and denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-11993)

Source

ALAS2-2020-1493

Amazon Linux 2 Security Advisory: ALAS-2020-1493
Advisory Release Date: 2020-09-15 17:44 Pacific
Advisory Updated Date: 2020-09-16 23:43 Pacific
Severity: Important
Issue Overview:

Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers. A flaw was found in Apache httpd in versions prior to 2.4.46. A specially crafted Cache-Digest header triggers negative argument to memmove() that could lead to a crash and denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-9490)

Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers. A flaw was found in Apache httpd in versions 2.4.20 to 2.4.43. Logging using the wrong pool by mod_http2 at debug/trace log level may lead to potential crashes and denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-11993)


Affected Packages:

mod_http2


Issue Correction:
Run yum update mod_http2 to update your system.

New Packages:
aarch64:
    mod_http2-1.15.14-2.amzn2.aarch64
    mod_http2-debuginfo-1.15.14-2.amzn2.aarch64

i686:
    mod_http2-1.15.14-2.amzn2.i686
    mod_http2-debuginfo-1.15.14-2.amzn2.i686

src:
    mod_http2-1.15.14-2.amzn2.src

x86_64:
    mod_http2-1.15.14-2.amzn2.x86_64
    mod_http2-debuginfo-1.15.14-2.amzn2.x86_64

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started