Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00068.html
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00071.html
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00081.html
http://packetstormsecurity.com/files/160393/Apache-2-HTTP2-Module-Concurrent-Pool-Usage.html
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-11993
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Cdev.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://lists.apache.org/thread.html/[email protected]%3Ccvs.httpd.apache.org%3E
https://security.gentoo.org/glsa/202008-04
https://security.netapp.com/advisory/ntap-20200814-0005/
https://usn.ubuntu.com/4458-1/
https://www.debian.org/security/2020/dsa-4757
Source: MITRE
Published: 2020-08-07
Updated: 2021-03-30
Type: CWE-444
Base Score: 4.3
Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P
Impact Score: 2.9
Exploitability Score: 8.6
Severity: MEDIUM
Base Score: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Impact Score: 3.6
Exploitability Score: 3.9
Severity: HIGH
OR
cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:* versions from 2.4.20 to 2.4.43 (inclusive)
OR
OR
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
OR
OR
OR
OR
cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:* versions from 8.2.0 to 8.2.2 (inclusive)
cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:* versions from 8.2.0 to 8.2.2 (inclusive)
cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:* versions from 8.2.0 to 8.2.2 (inclusive)
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
ID | Name | Product | Family | Severity |
---|---|---|---|---|
147602 | EulerOS : httpd (EulerOS-SA-2021-1602) | Nessus | Huawei Local Security Checks | high |
143613 | SUSE SLES15 Security Update : apache2 (SUSE-SU-2020:3067-1) | Nessus | SuSE Local Security Checks | medium |
143158 | Amazon Linux 2 : httpd (ALAS-2020-1490) | Nessus | Amazon Linux Local Security Checks | high |
142207 | openSUSE Security Update : apache2 (openSUSE-2020-1792) | Nessus | SuSE Local Security Checks | medium |
142025 | RHEL 6 / 7 : Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP5 (RHSA-2020:4384) | Nessus | Red Hat Local Security Checks | high |
140966 | EulerOS Virtualization for ARM 64 3.0.6.0 : httpd (EulerOS-SA-2020-2018) | Nessus | Huawei Local Security Checks | high |
140635 | Amazon Linux 2 : mod_http2 (ALAS-2020-1493) | Nessus | Amazon Linux Local Security Checks | medium |
112580 | Apache 2.4.x < 2.4.46 Multiple Vulnerabilities | Web Application Scanning | Component Vulnerability | high |
140252 | SUSE SLES12 Security Update : apache2 (SUSE-SU-2020:2450-1) | Nessus | SuSE Local Security Checks | medium |
140104 | Debian DSA-4757-1 : apache2 - security update | Nessus | Debian Local Security Checks | high |
140086 | Amazon Linux AMI : httpd24 (ALAS-2020-1418) | Nessus | Amazon Linux Local Security Checks | high |
140078 | openSUSE Security Update : apache2 (openSUSE-2020-1293) | Nessus | SuSE Local Security Checks | high |
140076 | openSUSE Security Update : apache2 (openSUSE-2020-1285) | Nessus | SuSE Local Security Checks | high |
139957 | EulerOS 2.0 SP8 : httpd (EulerOS-SA-2020-1854) | Nessus | Huawei Local Security Checks | high |
139906 | SUSE SLES15 Security Update : apache2 (SUSE-SU-2020:2344-1) | Nessus | SuSE Local Security Checks | high |
139884 | Fedora 31 : mod_http2 (2020-b58dc5df38) | Nessus | Fedora Local Security Checks | medium |
139844 | SUSE SLED15 / SLES15 Security Update : apache2 (SUSE-SU-2020:2311-1) | Nessus | SuSE Local Security Checks | high |
139736 | Fedora 32 : mod_http2 (2020-8122a8daa2) | Nessus | Fedora Local Security Checks | medium |
139697 | Photon OS 1.0: Httpd PHSA-2020-1.0-0313 | Nessus | PhotonOS Local Security Checks | high |
139612 | Photon OS 3.0: Httpd PHSA-2020-3.0-0125 | Nessus | PhotonOS Local Security Checks | high |
139609 | Photon OS 2.0: Httpd PHSA-2020-2.0-0272 | Nessus | PhotonOS Local Security Checks | high |
139596 | Ubuntu 16.04 LTS / 18.04 LTS / 20.04 : Apache HTTP Server vulnerabilities (USN-4458-1) | Nessus | Ubuntu Local Security Checks | high |
139574 | Apache 2.4.x < 2.4.46 Multiple Vulnerabilities | Nessus | Web Servers | high |
139439 | GLSA-202008-04 : Apache: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | high |
139436 | FreeBSD : Apache httpd -- Multiple vulnerabilities (76700d2f-d959-11ea-b53c-d4c9ef517024) | Nessus | FreeBSD Local Security Checks | high |