Bug 1743966 (CVE-2019-10081) - CVE-2019-10081 httpd: memory corruption on early pushes
Summary: CVE-2019-10081 httpd: memory corruption on early pushes
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10081
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1743967 1743968 1747286 1747287
Blocks: 1744000
TreeView+ depends on / blocked
 
Reported: 2019-08-21 05:29 UTC by Dhananjay Arunesh
Modified: 2023-03-24 15:17 UTC (History)
22 users (show)

Fixed In Version: httpd 2.4.41
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Apache httpd, in mod_http2. Under certain circumstances, HTTP/2 early pushes could lead to memory corruption, causing a server to crash.
Clone Of:
Environment:
Last Closed: 2020-04-06 22:31:53 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1336 0 None None None 2020-04-06 19:10:10 UTC
Red Hat Product Errata RHSA-2020:1337 0 None None None 2020-04-06 19:26:57 UTC
Red Hat Product Errata RHSA-2020:4751 0 None None None 2020-11-04 03:35:01 UTC

Description Dhananjay Arunesh 2019-08-21 05:29:54 UTC 
A vulnerability was found in httpd, where HTTP/2 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client.
Comment 1 Dhananjay Arunesh 2019-08-21 05:31:00 UTC 
Created httpd tracking bugs for this issue:

Affects: fedora-all [bug 1743967]


Created mod_http2 tracking bugs for this issue:

Affects: fedora-all [bug 1743968]


Created nghttp2 tracking bugs for this issue:

Affects: epel-all [bug 1743969]
Affects: fedora-all [bug 1743971]


Created nginx tracking bugs for this issue:

Affects: fedora-all [bug 1743973]


Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1743970]
Affects: fedora-all [bug 1743972]
Comment 2 Dhananjay Arunesh 2019-08-21 06:13:40 UTC 
External References:

https://httpd.apache.org/security/vulnerabilities_24.html
Comment 3 Kamil Dudka 2019-08-21 07:04:38 UTC 
Could you please explain why you created tracking bugs for nghttp2?
Comment 7 Joshua Padman 2019-08-28 12:27:01 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Enterprise Web Server 3

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 11 Doran Moppert 2019-09-04 03:31:11 UTC 
Mitigation:

This flaw is only exploitable if Apache httpd is configured to respond to HTTP/2 requests, which is done by including "h2" or "h2c" in the "Protocols" list in a configuration file.  The following command can be used to search for possible vulnerable configurations: 

    grep -R '^\s*Protocols\>.*\<h2\>' /etc/httpd/

See https://httpd.apache.org/docs/2.4/mod/mod_http2.html
Comment 13 Kunjan Rathod 2019-10-14 12:08:21 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Enterprise Web Server 2

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 15 errata-xmlrpc 2020-04-06 19:10:08 UTC 
This issue has been addressed in the following products:

  JBoss Core Services Apache HTTP Server 2.4.37 SP2

Via RHSA-2020:1336 https://access.redhat.com/errata/RHSA-2020:1336
Comment 16 errata-xmlrpc 2020-04-06 19:26:55 UTC 
This issue has been addressed in the following products:

  JBoss Core Services on RHEL 6
  JBoss Core Services on RHEL 7

Via RHSA-2020:1337 https://access.redhat.com/errata/RHSA-2020:1337
Comment 17 Product Security DevOps Team 2020-04-06 22:31:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10081
Comment 19 errata-xmlrpc 2020-11-04 03:35:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4751 https://access.redhat.com/errata/RHSA-2020:4751
Note You need to log in before you can comment on or make changes to this bug.