PT-2019-2672 · Apache+7 · Apache Http Server+7

Published

2019-04-01

·

Updated

2021-06-06

·

CVE-2019-0196

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.17 through 2.4.38
Description A vulnerability was discovered in the Apache HTTP Server, specifically in the mod http2 module, related to the use of freed memory. This issue could allow a remote attacker to cause a denial of service or access sensitive information by sending a specially crafted request. The vulnerability is triggered by using fuzzed network input, which can cause the http/2 request handling to access freed memory during string comparison when determining the method of a request, leading to incorrect request processing.
Recommendations For Apache HTTP Server versions 2.4.17 through 2.4.38, update to a version that includes the fix for this issue. As a temporary workaround, consider disabling the http/2 protocol until a patch is available. Restrict access to the mod http2 module to minimize the risk of exploitation.

Fix

DoS

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

ALSA-2020:4751
ALT-PU-2019-1580
BDU:2019-02559
CESA-2020_4751
CVE-2019-0196
DSA-4422-1
OPENSUSE-SU-2019:1209-1
OPENSUSE-SU-2019_1190-1
OPENSUSE-SU-2019_1209-1
OPENSUSE-SU-2019_1258-1
RHSA-2019:3932
RHSA-2019:3933
RHSA-2020:2644
RHSA-2020:4751
RHSA-2020_4751
RLSA-2020:4751
SUSE-SU-2019:0873-1
SUSE-SU-2019:0878-1
USN-3937-1

Affected Products

Alt Linux
Almalinux
Apache Http Server
Centos
Red Hat
Rocky Linux
Suse
Ubuntu