PT-2019-3894 · Apache+7 · Apache Http Server+7

Published

2019-04-12

·

Updated

2024-06-15

·

CVE-2019-10082

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.18 through 2.4.39
Description The issue is related to the implementation of the HTTP/2 network protocol in the Apache HTTP Server, which could allow an attacker to cause a denial of service. Using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown.
Recommendations For Apache HTTP Server versions 2.4.18 through 2.4.39, consider disabling the http/2 protocol until a patch is available. As a temporary workaround, restrict access to the http/2 module to minimize the risk of exploitation. Avoid using fuzzed network input in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

ALSA-2020:4751
ALT-PU-2019-2471
ALT-PU-2019-3402
BDU:2019-04287
CESA-2020_4751
CVE-2019-10082
DSA-4509-1
DSA-4509-2
MGASA-2019-0407
OPENSUSE-SU-2019:2051-1
OPENSUSE-SU-2019_2051-1
OPENSUSE-SU-2024:10623-1
RHSA-2020:1337
RHSA-2020:4751
RHSA-2020_4751
RLSA-2020:4751
SUSE-SU-2019:2237-1
SUSE-SU-2019:2329-1
USN-4113-1
USN-4113-2

Affected Products

Alt Linux
Almalinux
Apache Http Server
Centos
Red Hat
Rocky Linux
Suse
Ubuntu