Google researcher reported 3 flaws in Apache web server software
If your web server is running on Apache, you should immediately install the latest available version of the server application to prevent hackers from gaining unauthorized control.
Apache recently fixed several vulnerabilities in its web server software that could potentially lead to the execution of arbitrary code and, in specific scenarios, could even allow attackers to cause a crash and a denial of service.
The flaws, identified as CVE-2020-9490, CVE-2020-11984, CVE-2020-11993, were discovered by Felix Wilhelm of Google Project Zero, and have since been fixed by the Apache Foundation in the latest version of the software ( 2.4.46).
The first of three issues concerns a possible remote code execution vulnerability due to a buffer overflow with the “mod_uwsgi” module (CVE-2020-11984), potentially allowing an adversary to view, modify or delete sensitive data. depending on the privileges associated with an application running on the server.
“[A] A malicious request may lead to the disclosure of information or [remote code execution] of an existing file on the server running in a malicious process environment, ânoted Apache.
A second flaw concerns a vulnerability that is triggered when debugging is enabled in the “mod_http2” module (CVE-2020-11993), causing logging instructions on a bad connection and therefore resulting in memory corruption due to the concurrent use of the log pool.
CVE-2020-9490, the more serious of the three, also resides in the HTTP / 2 module and uses a specially designed “Cache-Digest” header to cause memory corruption that can lead to a crash and a denial of service.
Cache Digest is part of a now-discontinued web optimization feature that aims to address an issue with server surges – which allows a server to preemptively send responses to a client in advance – by allowing clients to notify the server of their freshly cached content. so that bandwidth is not wasted sending resources that are already in the client’s cache.
So when a specially crafted value is injected into the ‘Cache-Digest’ header in an HTTP / 2 request, it causes a crash when the server sends a PUSH packet using the header. On unpatched servers, this issue can be resolved by disabling the HTTP / 2 server push functionality.
While there are currently no reports of exploitation of these vulnerabilities in the wild, it is essential that patches are applied to vulnerable systems immediately after proper testing and that they ensure that the application has been successfully tested. been configured with only the permissions required to mitigate the impact.