Apache HTTP Server 2.4 vulnerabilities

mportant: Push Diary Crash on Specifically Crafted HTTP/2 Header (CVE-2020-9490)

Apache HTTP Server versions 2.4.20 to 2.4.43
A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards.

Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.

Acknowledgements: Felix Wilhelm of Google Project Zero

Reported to security team	24th April 2020
Issue public	7th August 2020
Update Released	7th August 2020
Affects	2.4.43, 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20

moderate: mod_proxy_uwsgi buffer overflow (CVE-2020-11984)

Apache HTTP Server versions 2.4.32 to 2.4.43
mod_proxy_uwsgi info disclosure and possible RCE

Acknowledgements: Discovered by Felix Wilhelm of Google Project Zero

Reported to security team	22nd July 2020
Issue public	7th August 2020
Update Released	7th August 2020
Affects	2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33

moderate: Push Diary Crash on Specifically Crafted HTTP/2 Header (CVE-2020-11993)

Apache HTTP Server versions 2.4.20 to 2.4.43
When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools.

Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.

Acknowledgements: Felix Wilhelm of Google Project Zero

Reported to security team	16th June 2020
Issue public	7th August 2020
Update Released	7th August 2020
Affects	2.4.43, 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20

https://httpd.apache.org/security/vulnerabilities_24.html

httpd 2.4 vulnerabilities - The Apache HTTP Server Project