Bug 1866560 (CVE-2020-9490)

Summary: CVE-2020-9490 httpd: Push diary crash on specifically crafted HTTP/2 header
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bnater, csutherl, gandavar, gzaronik, hhorak, huzaifas, jclere, jdoyle, jorton, jwon, krathod, lgao, luhliari, mbabacek, mturk, mvanderw, myarboro, pjindal, pslavice, rsvoboda, security-response-team, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: httpd 2.4.44 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache httpd in versions prior to 2.4.46. A specially crafted Cache-Digest header triggers negative argument to memmove() that could lead to a crash and denial of service. The highest threat from this vulnerability is to system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-10 13:17:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1868146, 1869068, 1869069, 1869070, 1869071, 1869072, 1869073    
Bug Blocks: 1866566    

Description Pedro Sampaio 2020-08-05 21:59:45 UTC
A flaw was found in httpd before version 2.4.46. A specially crafted Cache-Digest header triggers negative argument to memmove() that could lead to a crash and denial of service.

Upstream patch: 

http://svn.apache.org/viewvc?view=revision&revision=1880396
https://github.com/icing/mod_h2/commit/b8a8c5061eada0ce3339b24ba1d587134552bc0c

Comment 1 Pedro Sampaio 2020-08-05 21:59:49 UTC
Acknowledgments:

Name: the Apache project

Comment 3 Ted Jongseok Won 2020-08-06 00:16:43 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Enterprise Web Server 2

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 5 Guilherme de Almeida Suckevicz 2020-08-11 19:44:48 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1868146]

Comment 6 Huzaifa S. Sidhpurwala 2020-08-16 09:58:42 UTC
Statement:

As per upstream this flaw only affects Apache HTTP Server versions 2.4.20 to 2.4.43. Therefore only httpd packages shipped with Red Hat Enterprise Linux 8 are affected.

Comment 7 Huzaifa S. Sidhpurwala 2020-08-16 09:58:49 UTC
External References:

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-9490

Comment 8 Huzaifa S. Sidhpurwala 2020-08-16 09:59:43 UTC
Mitigation:

Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability.

Comment 21 errata-xmlrpc 2020-09-10 13:05:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3714 https://access.redhat.com/errata/RHSA-2020:3714

Comment 22 Product Security DevOps Team 2020-09-10 13:17:45 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-9490

Comment 25 errata-xmlrpc 2020-09-11 13:10:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:3726 https://access.redhat.com/errata/RHSA-2020:3726

Comment 28 errata-xmlrpc 2020-09-14 12:41:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3734 https://access.redhat.com/errata/RHSA-2020:3734

Comment 29 errata-xmlrpc 2020-09-14 13:01:06 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2020:3733 https://access.redhat.com/errata/RHSA-2020:3733

Comment 34 Red Hat Bugzilla 2023-09-15 00:46:07 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days