Home>Blog>The Hacker News Headlines>Google Researcher Reported 3 Flaws in Apache Web Server Software
The Hacker News Headlines

Google Researcher Reported 3 Flaws in Apache Web Server Software

apache web server securityapache web server security

If your web-server runs on Apache, you should immediately
install the latest available version of the server application to
prevent hackers from taking unauthorized control over it.

Apache recently fixed multiple vulnerabilities in its web server
software that could have potentially led to the execution of
arbitrary code and, in specific scenarios, even could allow
attackers to cause a crash and denial of service.

The flaws, tracked as CVE-2020-9490, CVE-2020-11984,
CVE-2020-11993, were uncovered by Felix Wilhelm of Google
Project Zero, and have since been addressed by the Apache
Foundation in the latest version of the software (2.4.46).
[1][2]

cybersecurity

The first of the three issues involve a possible remote code
execution vulnerability due to a buffer overflow with the
“mod_uwsgi” module (CVE-2020-11984), potentially allowing an
adversary to view, change, or delete sensitive data depending on
the privileges associated with an application running on the
server.

“[A] Malicious request may result in information disclosure or
[remote code execution] of an existing file on the server running
under a malicious process environment,” Apache noted[3].

A second flaw concerns a vulnerability that’s triggered when
debugging is enabled in the “mod_http2[4]” module
(CVE-2020-11993), causing logging statements to be made on the
wrong connection and therefore resulting in memory corruption due
to the concurrent log pool usage.

CVE-2020-9490, the most severe of the three, also resides in the
HTTP/2 module and uses a specially crafted ‘Cache-Digest’ header to
cause a memory corruption to lead to a crash and denial of
service.
[5]

Cache Digest is part of a now-abandoned web
optimization feature that aims to address an issue with server
pushes — which allows a server to preemptively send responses to a
client ahead of time — by allowing the clients to inform the server
of their freshly cached contents so that bandwidth is not wasted in
sending resources that are already in the client’s cache.

Thus when a specially crafted value is injected into the
‘Cache-Digest’ header in an HTTP/2 request, it would cause a crash
when the server sends a PUSH packet using the header. On unpatched
servers, this issue can be resolved by turning the HTTP/2 server
push[7] feature off.

Although there are currently no reports of these vulnerabilities
being exploited in the wild, it’s essential that the patches are
applied to vulnerable systems immediately after appropriate testing
as well as ensure that the application has been configured with
only the required permissions so as to mitigate the impact.

[6]

References

  1. ^
    uncovered
    (bugs.chromium.org)
  2. ^
    2.4.46
    (downloads.apache.org)
  3. ^
    Apache noted
    (httpd.apache.org)
  4. ^
    mod_http2
    (httpd.apache.org)
  5. ^
    specially crafted ‘Cache-Digest’
    header     (bugs.chromium.org)
  6. ^
    web optimization feature
    (datatracker.ietf.org)
  7. ^
    HTTP/2 server push
    (httpd.apache.org)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.