CVE-2016-4979

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.18 through 2.4.20

Description The issue allows remote attackers to bypass intended access restrictions by leveraging the ability to send multiple requests over a single connection and aborting a renegotiation, when mod http2 and mod ssl are enabled. This is due to the improper recognition of the SSLVerifyClient require directive for HTTP/2 request authorization. The problem affects configurations that enable support for HTTP/2, where SSL client certificate validation was not enforced if configured, allowing clients unauthorized access to protected resources over HTTP/2.

Recommendations For versions 2.4.18 through 2.4.20, consider disabling the mod http2 module until a patch is available to enforce SSL client certificate validation for HTTP/2 requests. Restrict access to protected resources over HTTP/2 to minimize the risk of exploitation. Avoid relying solely on the SSLVerifyClient require directive for access control in HTTP/2 configurations.