Описание
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.
A flaw was found in Apache httpd in versions 2.4.20 to 2.4.43. Logging using the wrong pool by mod_http2 at debug/trace log level may lead to potential crashes and denial of service. The highest threat from this vulnerability is to system availability.
Отчет
Red Hat Enterprise Linux 5, 6, and 7 do not ship the vulnerable version of httpd and, thus, are not affected.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | httpd | Not affected | ||
| Red Hat Enterprise Linux 6 | httpd | Not affected | ||
| Red Hat Enterprise Linux 7 | httpd | Not affected | ||
| Red Hat JBoss Enterprise Web Server 2 | httpd | Out of support scope | ||
| JBoss Core Services on RHEL 6 | jbcs-httpd24-apr | Fixed | RHSA-2020:4384 | 28.10.2020 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-apr-util | Fixed | RHSA-2020:4384 | 28.10.2020 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-brotli | Fixed | RHSA-2020:4384 | 28.10.2020 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-curl | Fixed | RHSA-2020:4384 | 28.10.2020 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-httpd | Fixed | RHSA-2020:4384 | 28.10.2020 |
| JBoss Core Services on RHEL 6 | jbcs-httpd24-jansson | Fixed | RHSA-2020:4384 | 28.10.2020 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enab ...
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.
7.5 High
CVSS3