==================================================================== CERT-Renater Note d'Information No. 2020/VULN443 _____________________________________________________________________ DATE : 12/08/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running versions prior to 2.4.46. ===================================================================== https://downloads.apache.org/httpd/CHANGES_2.4.46 https://lists.apache.org/thread.html/rabf968f5dd21f20b5088f788b9c98e87a4514657340c580f03df9db1%40%3Cannounce.httpd.apache.org%3E https://lists.apache.org/thread.html/r2f1531b7eefe449443ee5fe367ce96c084963a249a149f89692503a6%40%3Cannounce.httpd.apache.org%3E https://www.openwall.com/lists/oss-security/2020/08/07/2 https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-9490 _____________________________________________________________________ Changes with Apache 2.4.46 *) SECURITY: CVE-2020-11984 (cve.mitre.org) mod_proxy_uwsgi: Malicious request may result in information disclosure or RCE of existing file on the server running under a malicious process environment. [Yann Ylavic] *) SECURITY: CVE-2020-11993 (cve.mitre.org) mod_http2: when throttling connection requests, log statements where possibly made that result in concurrent, unsafe use of a memory pool. [Stefan Eissing] *) SECURITY: mod_http2: a specially crafted value for the 'Cache-Digest' header request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. [Stefen Eissing, Eric Covener, Christophe Jaillet] *) mod_proxy_fcgi: Fix build warnings for Windows platform _____________________________________________________________________ CVE-2020-11993: Push Diary Crash on Specifically Crafted HTTP/2 Header Severity: moderate Vendor: Apache Software Foundation Versions Affected: Apache HTTP Server 2.4.20 to 2.4.43 Description: Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers. Mitigation: Credit: Felix Wilhelm of Google Project Zero References: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-11993 _____________________________________________________________________ CVE-2020-11984: mod_uwsgi buffer overlow Severity: moderate Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.32 to 2.4.44 Description: Apache HTTP Server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE Mitigation: disable mod_uwsgi Credit: Discovered by Felix Wilhelm of Google Project Zero References: https://httpd.apache.org/security/vulnerabilities_24.html _____________________________________________________________________ CVE-2020-11985: CWE-345: Insufficient verification of data authenticity Severity: low Vendor: The Apache Software Foundation Versions Affected: httpd 2.4.1 to 2.4.23 Description: Apache HTTP Server 2.4.1 to 2.4.23 IP address spoofing when proxying using mod_remoteip and mod_rewrite Mitigation: Disable mod_remoteip Credit: Initially reported at https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1875299 References: https://httpd.apache.org/security/vulnerabilities_24.html _____________________________________________________________________ important: Push Diary Crash on Specifically Crafted HTTP/2 Header (CVE-2020-9490) Apache HTTP Server versions 2.4.20 to 2.4.43 A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers. Acknowledgements: Felix Wilhelm of Google Project Zero Reported to security team 24th April 2020 Issue public 7th August 2020 Update Released 7th August 2020 Affects 2.4.43, 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20 ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41          + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================