Уязвимость CVE-2020-11993: Информация

Описание

Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.

Важность: HIGH (7,5) Вектор: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-11993
Опубликовано: 7 августа 2020 г.
Изменено: 7 ноября 2023 г.
Идентификатор типа ошибки: CWE-444

Исправленные пакеты

Имя пакета
Ветка
Исправлено в версии
Версия в репозитории
Errata ID
№ Задания
Состояние
apache2sisyphus2.4.46-alt12.4.59-alt1ALT-PU-2020-2594-1256269Исправлено
apache2p102.4.46-alt12.4.59-alt1ALT-PU-2020-2594-1256269Исправлено
apache2p92.4.48-alt32.4.58-alt1ALT-PU-2021-2035-1272181Исправлено
apache2c10f12.4.46-alt12.4.59-alt1ALT-PU-2020-2594-1256269Исправлено
apache2c9f22.4.46-alt22.4.59-alt1ALT-PU-2020-3362-1262118Исправлено
apache2p112.4.46-alt12.4.59-alt1ALT-PU-2020-2594-1256269Исправлено

Ссылки на рекомендации, решения и инструменты

Ссылка
Ресурс
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-11993
  • Vendor Advisory
GLSA-202008-04
  • Third Party Advisory
https://security.netapp.com/advisory/ntap-20200814-0005/
  • Third Party Advisory
USN-4458-1
  • Third Party Advisory
openSUSE-SU-2020:1285
  • Mailing List
  • Third Party Advisory
openSUSE-SU-2020:1293
  • Mailing List
  • Third Party Advisory
DSA-4757
  • Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
  • Vendor Advisory
openSUSE-SU-2020:1792
  • Mailing List
  • Third Party Advisory
http://packetstormsecurity.com/files/160393/Apache-2-HTTP2-Module-Concurrent-Pool-Usage.html
  • Exploit
  • Third Party Advisory
  • VDB Entry
https://www.oracle.com/security-alerts/cpujan2021.html
  • Third Party Advisory
[httpd-dev] 20200808 Security announcements for CVE-2020-9490/CVE-2020-11993 ?
    [httpd-dev] 20200811 Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities?
      [httpd-dev] 20200811 Re: Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities?
        FEDORA-2020-8122a8daa2
          FEDORA-2020-b58dc5df38
            [httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
              [httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/
                [httpd-cvs] 20210330 svn commit: r1888194 [13/13] - /httpd/site/trunk/content/security/json/
                  [httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
                    [httpd-cvs] 20210330 svn commit: r1073139 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
                      [httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
                        [httpd-cvs] 20210330 svn commit: r1073149 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
                          [httpd-cvs] 20210330 svn commit: r1073171 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-11984.json security/json/CVE-2020-11993.json security/vulnerabilities_24.html
                            [httpd-cvs] 20210330 svn commit: r1888228 - in /httpd/site/trunk/content/security/json: CVE-2020-11984.json CVE-2020-11993.json
                              [httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

                                  1. Конфигурация 1

                                    cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
                                    Start including
                                    2.4.20
                                    End including
                                    2.4.43

                                    Конфигурация 2

                                    cpe:2.3:a:netapp:clustered_data_ontap:-:*:*:*:*:*:*:*

                                    Конфигурация 3

                                    cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
                                    cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
                                    cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*

                                    Конфигурация 4

                                    cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
                                    cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*

                                    Конфигурация 5

                                    cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

                                    Конфигурация 6

                                    cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
                                    cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

                                    Конфигурация 7

                                    cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
                                    cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
                                    cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
                                    cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*
                                    cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
                                    cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*
                                    Start including
                                    8.2.0
                                    End including
                                    8.2.2
                                    cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*
                                    Start including
                                    8.2.0
                                    End including
                                    8.2.2
                                    cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*
                                    Start including
                                    8.2.0
                                    End including
                                    8.2.2
                                    cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
                                VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
                                Версия: v24.5.3
                                Наверх