9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.015 Low
EPSS
Percentile
86.9%
Issue Overview:
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE A flaw was found in Apache httpd in versions 2.4.32 to 2.4.46. The uwsgi protocol does not serialize more than 16K of HTTP header leading to resource exhaustion and denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-11984)
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the ‘Cache-Digest’ header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via “H2Push off” will mitigate this vulnerability for unpatched servers. A flaw was found in Apache httpd in versions prior to 2.4.46. A specially crafted Cache-Digest header triggers negative argument to memmove() that could lead to a crash and denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-9490)
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above “info” will mitigate this vulnerability for unpatched servers. A flaw was found in Apache httpd in versions 2.4.20 to 2.4.43. Logging using the wrong pool by mod_http2 at debug/trace log level may lead to potential crashes and denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-11993)
Affected Packages:
httpd
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update httpd to update your system.
New Packages:
aarch64:
httpd-2.4.46-1.amzn2.aarch64
httpd-devel-2.4.46-1.amzn2.aarch64
httpd-tools-2.4.46-1.amzn2.aarch64
mod_ssl-2.4.46-1.amzn2.aarch64
mod_md-2.4.46-1.amzn2.aarch64
mod_proxy_html-2.4.46-1.amzn2.aarch64
mod_ldap-2.4.46-1.amzn2.aarch64
mod_session-2.4.46-1.amzn2.aarch64
httpd-debuginfo-2.4.46-1.amzn2.aarch64
i686:
httpd-2.4.46-1.amzn2.i686
httpd-devel-2.4.46-1.amzn2.i686
httpd-tools-2.4.46-1.amzn2.i686
mod_ssl-2.4.46-1.amzn2.i686
mod_md-2.4.46-1.amzn2.i686
mod_proxy_html-2.4.46-1.amzn2.i686
mod_ldap-2.4.46-1.amzn2.i686
mod_session-2.4.46-1.amzn2.i686
httpd-debuginfo-2.4.46-1.amzn2.i686
noarch:
httpd-manual-2.4.46-1.amzn2.noarch
httpd-filesystem-2.4.46-1.amzn2.noarch
src:
httpd-2.4.46-1.amzn2.src
x86_64:
httpd-2.4.46-1.amzn2.x86_64
httpd-devel-2.4.46-1.amzn2.x86_64
httpd-tools-2.4.46-1.amzn2.x86_64
mod_ssl-2.4.46-1.amzn2.x86_64
mod_md-2.4.46-1.amzn2.x86_64
mod_proxy_html-2.4.46-1.amzn2.x86_64
mod_ldap-2.4.46-1.amzn2.x86_64
mod_session-2.4.46-1.amzn2.x86_64
httpd-debuginfo-2.4.46-1.amzn2.x86_64
Red Hat: CVE-2020-11984, CVE-2020-11993, CVE-2020-9490
Mitre: CVE-2020-11984, CVE-2020-11993, CVE-2020-9490
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 2 | aarch64 | httpd | < 2.4.46-1.amzn2 | httpd-2.4.46-1.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | httpd-devel | < 2.4.46-1.amzn2 | httpd-devel-2.4.46-1.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | httpd-tools | < 2.4.46-1.amzn2 | httpd-tools-2.4.46-1.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | mod_ssl | < 2.4.46-1.amzn2 | mod_ssl-2.4.46-1.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | mod_md | < 2.4.46-1.amzn2 | mod_md-2.4.46-1.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | mod_proxy_html | < 2.4.46-1.amzn2 | mod_proxy_html-2.4.46-1.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | mod_ldap | < 2.4.46-1.amzn2 | mod_ldap-2.4.46-1.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | mod_session | < 2.4.46-1.amzn2 | mod_session-2.4.46-1.amzn2.aarch64.rpm |
Amazon Linux | 2 | aarch64 | httpd-debuginfo | < 2.4.46-1.amzn2 | httpd-debuginfo-2.4.46-1.amzn2.aarch64.rpm |
Amazon Linux | 2 | i686 | httpd | < 2.4.46-1.amzn2 | httpd-2.4.46-1.amzn2.i686.rpm |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.8 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.015 Low
EPSS
Percentile
86.9%