A flaw was found in httpd before version 2.4.46. The uwsgi protocol does not let us serialize more than 16K of HTTP header leading to resource exhaustion and denial of service. Upstream patch: http://svn.apache.org/viewvc?view=revision&revision=1880251
Acknowledgments: Name: the Apache project
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Enterprise Web Server 2 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 1868148]
External References: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-11984
Statement: Red Hat Enterprise Linux 5, 6, and 7 do not ship the vulnerable version of httpd and, thus, are not affected.
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2020:4383 https://access.redhat.com/errata/RHSA-2020:4383
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services on RHEL 6 Via RHSA-2020:4384 https://access.redhat.com/errata/RHSA-2020:4384
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-11984
Mitigation: This flaw only affects specific httpd configurations which use the uwsgi protocol. It does not manifest itself when uwsgi protocol is not used. Commenting out "LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so" in /etc/httpd/conf.modules.d/00-proxy.conf will disable the loading of the vulnerable module.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1809 https://access.redhat.com/errata/RHSA-2021:1809