Important: httpd

Issue Overview:

Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE A flaw was found in Apache httpd in versions 2.4.32 to 2.4.46. The uwsgi protocol does not serialize more than 16K of HTTP header leading to resource exhaustion and denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-11984)

Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the ‘Cache-Digest’ header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via “H2Push off” will mitigate this vulnerability for unpatched servers. A flaw was found in Apache httpd in versions prior to 2.4.46. A specially crafted Cache-Digest header triggers negative argument to memmove() that could lead to a crash and denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-9490)

Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above “info” will mitigate this vulnerability for unpatched servers. A flaw was found in Apache httpd in versions 2.4.20 to 2.4.43. Logging using the wrong pool by mod_http2 at debug/trace log level may lead to potential crashes and denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-11993)

Affected Packages:

httpd

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update httpd to update your system.

New Packages:

aarch64:  
    httpd-2.4.46-1.amzn2.aarch64  
    httpd-devel-2.4.46-1.amzn2.aarch64  
    httpd-tools-2.4.46-1.amzn2.aarch64  
    mod_ssl-2.4.46-1.amzn2.aarch64  
    mod_md-2.4.46-1.amzn2.aarch64  
    mod_proxy_html-2.4.46-1.amzn2.aarch64  
    mod_ldap-2.4.46-1.amzn2.aarch64  
    mod_session-2.4.46-1.amzn2.aarch64  
    httpd-debuginfo-2.4.46-1.amzn2.aarch64  
  
i686:  
    httpd-2.4.46-1.amzn2.i686  
    httpd-devel-2.4.46-1.amzn2.i686  
    httpd-tools-2.4.46-1.amzn2.i686  
    mod_ssl-2.4.46-1.amzn2.i686  
    mod_md-2.4.46-1.amzn2.i686  
    mod_proxy_html-2.4.46-1.amzn2.i686  
    mod_ldap-2.4.46-1.amzn2.i686  
    mod_session-2.4.46-1.amzn2.i686  
    httpd-debuginfo-2.4.46-1.amzn2.i686  
  
noarch:  
    httpd-manual-2.4.46-1.amzn2.noarch  
    httpd-filesystem-2.4.46-1.amzn2.noarch  
  
src:  
    httpd-2.4.46-1.amzn2.src  
  
x86_64:  
    httpd-2.4.46-1.amzn2.x86_64  
    httpd-devel-2.4.46-1.amzn2.x86_64  
    httpd-tools-2.4.46-1.amzn2.x86_64  
    mod_ssl-2.4.46-1.amzn2.x86_64  
    mod_md-2.4.46-1.amzn2.x86_64  
    mod_proxy_html-2.4.46-1.amzn2.x86_64  
    mod_ldap-2.4.46-1.amzn2.x86_64  
    mod_session-2.4.46-1.amzn2.x86_64  
    httpd-debuginfo-2.4.46-1.amzn2.x86_64  

Additional References

Red Hat: CVE-2020-11984, CVE-2020-11993, CVE-2020-9490

Mitre: CVE-2020-11984, CVE-2020-11993, CVE-2020-9490