Описание
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
A flaw was found in Apache httpd in versions prior to 2.4.46. A specially crafted Cache-Digest header triggers negative argument to memmove() that could lead to a crash and denial of service. The highest threat from this vulnerability is to system availability.
Отчет
As per upstream this flaw only affects Apache HTTP Server versions 2.4.20 to 2.4.43. Therefore only httpd packages shipped with Red Hat Enterprise Linux 8 are affected.
Меры по смягчению последствий
Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | httpd | Not affected | ||
| Red Hat Enterprise Linux 6 | httpd | Not affected | ||
| Red Hat Enterprise Linux 7 | httpd | Not affected | ||
| Red Hat JBoss Core Services | httpd | Not affected | ||
| Red Hat JBoss Enterprise Web Server 2 | httpd | Out of support scope | ||
| Red Hat Enterprise Linux 8 | httpd | Fixed | RHSA-2020:3714 | 10.09.2020 |
| Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions | httpd | Fixed | RHSA-2020:3734 | 14.09.2020 |
| Red Hat Enterprise Linux 8.1 Extended Update Support | httpd | Fixed | RHSA-2020:3726 | 11.09.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | httpd24-httpd | Fixed | RHSA-2020:3733 | 14.09.2020 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | httpd24-httpd | Fixed | RHSA-2020:3733 | 14.09.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted valu ...
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
EPSS
7.5 High
CVSS3