9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
Recent assessments:
dabdine-r7 at August 26, 2020 8:06pm UTC reported:
The details for this vulnerability were scant from Apache, but this is actually an integer overflow in the mod_proxy_uwsgi Apache module. Specifically, if you send enough headers, you can overflow the packet size that gets encoded into the uWSGI protocol header struct. If you do this, you may be able to coerce the uWSGI middleware service to interpret some of the header data as a new uWSGI packet. uWSGI allows file read and remote code execution as part of the protocol.
Hereโs the patch that was silently added from ASF (ignore the 16K comment too, since that is wrong, and it shouldโve been 65K):
https://github.com/apache/httpd/commit/fb08e475bf322f081665fa6f9d9e346136df9337#
In practice this is a bit difficult to exploit, but could in theory lead to tasty, tasty shells. The most interesting thing about this vulnerability is that you would interpret the title as an issue that allows for code execution within the context of Apache itself, whereas in reality it is an issue which allows payload stuffing that ultimately can lead to command execution by crafted payloads sent to the uWSGI middleware/backend service that Apache fronts.
Assessed Attacker Value: 2
Assessed Attacker Value: 2Assessed Attacker Value: 2
lists.opensuse.org/opensuse-security-announce/2020-08/msg00068.html
lists.opensuse.org/opensuse-security-announce/2020-08/msg00071.html
packetstormsecurity.com/files/159009/Apache2-mod_proxy_uwsgi-Incorrect-Request-Handling.html
www.openwall.com/lists/oss-security/2020/08/08/1
www.openwall.com/lists/oss-security/2020/08/08/10
www.openwall.com/lists/oss-security/2020/08/08/8
www.openwall.com/lists/oss-security/2020/08/08/9
www.openwall.com/lists/oss-security/2020/08/10/5
www.openwall.com/lists/oss-security/2020/08/17/2
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11984
httpd.apache.org/security/vulnerabilities_24.html
lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/r09bb998baee74a2c316446bd1a41ae7f8d7049d09d9ff991471e8775@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/r2c6083f6a2027914a0f5b54e2a1f4fa98c03f8693b58460911818255@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/r34753590ae8e3f2b6af689af4fe84269b592f5fda9f3244fd9abbce8@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/r5debe8f82728a00a4a68bc904dd6c35423bdfc8d601cfb4579f38bf1@%3Cdev.httpd.apache.org%3E
lists.apache.org/thread.html/r623de9b2b2433a87f3f3a15900419fc9c00c77b26936dfea4060f672@%3Cdev.httpd.apache.org%3E
lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
lists.apache.org/thread.html/rf71eb428714374a6f9ad68952e23611ec7807b029fd6a1b4f5f732d9@%3Ccvs.httpd.apache.org%3E
lists.debian.org/debian-lts-announce/2020/09/msg00001.html
lists.fedoraproject.org/archives/list/[email protected]/message/A2RN46PRBJE7E7OPD4YZX5SVWV5QKGV5
lists.fedoraproject.org/archives/list/[email protected]/message/A2RN46PRBJE7E7OPD4YZX5SVWV5QKGV5/
lists.fedoraproject.org/archives/list/[email protected]/message/HYVYE2ZERFXDV6RMKK3I5SDSDQLPSEIQ
lists.fedoraproject.org/archives/list/[email protected]/message/HYVYE2ZERFXDV6RMKK3I5SDSDQLPSEIQ/
security.gentoo.org/glsa/202008-04
security.netapp.com/advisory/ntap-20200814-0005
security.netapp.com/advisory/ntap-20200814-0005/
usn.ubuntu.com/4458-1
usn.ubuntu.com/4458-1/
www.debian.org/security/2020/dsa-4757
www.oracle.com/security-alerts/cpujan2021.html
www.oracle.com/security-alerts/cpuoct2020.html
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P