Bug 1866560 (CVE-2020-9490) - CVE-2020-9490 httpd: Push diary crash on specifically crafted HTTP/2 header [NEEDINFO]
Summary: CVE-2020-9490 httpd: Push diary crash on specifically crafted HTTP/2 header
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-9490
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1868146 1869068 1869069 1869070 1869071 1869072 1869073
Blocks: 1866566
TreeView+ depends on / blocked
 
Reported: 2020-08-05 21:59 UTC by Pedro Sampaio
Modified: 2021-02-16 19:32 UTC (History)
23 users (show)

Fixed In Version: httpd 2.4.44
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache httpd in versions prior to 2.4.46. A specially crafted Cache-Digest header triggers negative argument to memmove() that could lead to a crash and denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2020-09-10 13:17:45 UTC
huzaifas: needinfo? (jorton)


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:3741 0 None None None 2020-09-15 02:49:19 UTC
Red Hat Product Errata RHBA-2020:3758 0 None None None 2020-09-16 10:18:59 UTC
Red Hat Product Errata RHBA-2020:3759 0 None None None 2020-09-16 14:02:19 UTC
Red Hat Product Errata RHSA-2020:3714 0 None None None 2020-09-10 13:05:57 UTC
Red Hat Product Errata RHSA-2020:3726 0 None None None 2020-09-11 13:10:04 UTC
Red Hat Product Errata RHSA-2020:3733 0 None None None 2020-09-14 13:01:09 UTC
Red Hat Product Errata RHSA-2020:3734 0 None None None 2020-09-14 12:41:39 UTC

Description Pedro Sampaio 2020-08-05 21:59:45 UTC
A flaw was found in httpd before version 2.4.46. A specially crafted Cache-Digest header triggers negative argument to memmove() that could lead to a crash and denial of service.

Upstream patch: 

http://svn.apache.org/viewvc?view=revision&revision=1880396
https://github.com/icing/mod_h2/commit/b8a8c5061eada0ce3339b24ba1d587134552bc0c

Comment 1 Pedro Sampaio 2020-08-05 21:59:49 UTC
Acknowledgments:

Name: the Apache project

Comment 3 Ted (Jong Seok) Won 2020-08-06 00:16:43 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Enterprise Web Server 2

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 5 Guilherme de Almeida Suckevicz 2020-08-11 19:44:48 UTC
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1868146]

Comment 6 Huzaifa S. Sidhpurwala 2020-08-16 09:58:42 UTC
Statement:

As per upstream this flaw only affects Apache HTTP Server versions 2.4.20 to 2.4.43. Therefore only httpd packages shipped with Red Hat Enterprise Linux 8 are affected.

Comment 7 Huzaifa S. Sidhpurwala 2020-08-16 09:58:49 UTC
External References:

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-9490

Comment 8 Huzaifa S. Sidhpurwala 2020-08-16 09:59:43 UTC
Mitigation:

Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability.

Comment 21 errata-xmlrpc 2020-09-10 13:05:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3714 https://access.redhat.com/errata/RHSA-2020:3714

Comment 22 Product Security DevOps Team 2020-09-10 13:17:45 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-9490

Comment 25 errata-xmlrpc 2020-09-11 13:10:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:3726 https://access.redhat.com/errata/RHSA-2020:3726

Comment 28 errata-xmlrpc 2020-09-14 12:41:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3734 https://access.redhat.com/errata/RHSA-2020:3734

Comment 29 errata-xmlrpc 2020-09-14 13:01:06 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 6

Via RHSA-2020:3733 https://access.redhat.com/errata/RHSA-2020:3733


Note You need to log in before you can comment on or make changes to this bug.