CVE-2019-0197

Name of the Vulnerable Software and Affected Versions Apache HTTP Server versions 2.4.34 through 2.4.38

Description A vulnerability was found in the implementation of the HTTP/2 protocol in the Apache HTTP Server. The issue is related to the handling of HTTP requests. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. The vulnerability can be exploited by a remote attacker to cause a denial of service or lead to incorrect server configuration.

Recommendations For Apache HTTP Server versions 2.4.34 through 2.4.38, consider disabling the HTTP/2 protocol for http: hosts or disabling the H2Upgrade option for h2 on https: hosts as a temporary workaround until a patch is available. Restrict access to the H2Upgrade configuration to minimize the risk of exploitation. Avoid using the H2Upgrade option until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.