Lucene search

Felix Wilhelm1337DAY-ID-35422

HistoryDec 08, 2020 - 12:00 a.m.

Apache 2 HTTP2 Module Concurrent Pool Usage Vulnerability

2020-12-0800:00:00

Felix Wilhelm

0day.today

3849

apache

http2

module

pool

usage

vulnerability

allocation

logging

thread-safety

disclosure

cve-2020-11993

exploit

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

8.8

Confidence

High

EPSS

0.004

Percentile

73.5%

JSON

apache2: concurrent pool usage in http2 module

h2_mplx.c contains a number of calls to ap_log_cerror using m->c (the master connection) as an argument. These calls can trigger allocations using the m->c->pool. 
One example is core_generate_log_id. As some of the code in h2_mplx.c is executed on a worker thread, it is possible that the main thread performs a parallel allocation and corrupts the pool. (apr memory pools are not thread-safe)
Most logging calls are using DEBUG and TRACE levels and can't be exploited in a production environment. 
However, the task_done function calls ap_log_cerror with APLOG_INFO when throttling tasks, which can be triggered by a malicious client:

h2_mplx.c:809            
        ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, m->c,
                          H2_STRM_MSG(stream, \"redo, added to q\"));


This bug is subject to a 90 day disclosure deadline. After 90 days elapse, the bug report
will become visible to the public. The scheduled disclosure date is 2020-09-14.
Disclosure at an earlier date is also possible if agreed upon by all parties.

Related CVE Numbers: CVE-2020-11993.