Уязвимость CVE-2020-9490: Информация

Описание

Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.

Важность: HIGH (7,5) Вектор: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-9490
Опубликовано: 7 августа 2020 г.
Изменено: 7 ноября 2023 г.
Идентификатор типа ошибки: CWE-444

Исправленные пакеты

Имя пакета
Ветка
Исправлено в версии
Версия в репозитории
Errata ID
№ Задания
Состояние
apache2sisyphus2.4.46-alt12.4.59-alt1ALT-PU-2020-2594-1256269Исправлено
apache2p102.4.46-alt12.4.59-alt1ALT-PU-2020-2594-1256269Исправлено
apache2p92.4.48-alt32.4.58-alt1ALT-PU-2021-2035-1272181Исправлено
apache2c10f12.4.46-alt12.4.59-alt1ALT-PU-2020-2594-1256269Исправлено
apache2c9f22.4.46-alt22.4.59-alt1ALT-PU-2020-3362-1262118Исправлено
apache2p112.4.46-alt12.4.59-alt1ALT-PU-2020-2594-1256269Исправлено

Ссылки на рекомендации, решения и инструменты

Ссылка
Ресурс
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-9490
  • Vendor Advisory
GLSA-202008-04
  • Third Party Advisory
https://security.netapp.com/advisory/ntap-20200814-0005/
  • Third Party Advisory
USN-4458-1
  • Third Party Advisory
openSUSE-SU-2020:1285
  • Mailing List
  • Third Party Advisory
openSUSE-SU-2020:1293
  • Mailing List
  • Third Party Advisory
DSA-4757
  • Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
  • Patch
  • Third Party Advisory
openSUSE-SU-2020:1792
  • Mailing List
  • Third Party Advisory
http://packetstormsecurity.com/files/160392/Apache-2.4.43-mod_http2-Memory-Corruption.html
  • Third Party Advisory
  • VDB Entry
https://www.oracle.com/security-alerts/cpujan2021.html
  • Patch
  • Third Party Advisory
[httpd-dev] 20200808 Security announcements for CVE-2020-9490/CVE-2020-11993 ?
    [httpd-dev] 20200811 Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities?
      [httpd-dev] 20200811 Re: Which version fixed the CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993 vulnerabilities?
        FEDORA-2020-8122a8daa2
          FEDORA-2020-b58dc5df38
            [httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
              [httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/
                [httpd-cvs] 20210330 svn commit: r1888194 [13/13] - /httpd/site/trunk/content/security/json/
                  [httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html
                    [httpd-cvs] 20210330 svn commit: r1073139 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/json/
                      [httpd-cvs] 20210330 svn commit: r1888203 - /httpd/site/trunk/content/security/json/CVE-2020-9490.json
                        [httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
                          [httpd-cvs] 20210330 svn commit: r1073148 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-9490.json
                            [httpd-cvs] 20210330 svn commit: r1073149 [13/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
                              [httpd-cvs] 20210407 svn commit: r1073454 - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-9490.json security/vulnerabilities_24.html
                                [httpd-cvs] 20210407 svn commit: r1888469 - /httpd/site/trunk/content/security/json/CVE-2020-9490.json
                                  [httpd-cvs] 20210603 svn commit: r1075355 - in /websites/staging/httpd/trunk/content: ./ security/ security/json/
                                    [httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

                                        1. Конфигурация 1

                                          cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*
                                          Start including
                                          2.4.20
                                          End excliding
                                          2.4.46

                                          Конфигурация 2

                                          cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
                                          cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
                                          cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
                                          cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.1.2.4:*:*:*:*:*:*:*
                                          cpe:2.3:a:oracle:enterprise_manager_ops_center:12.4.0.0:*:*:*:*:*:*:*
                                          cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*
                                          Start including
                                          8.2.0
                                          End including
                                          8.2.2
                                          cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*
                                          Start including
                                          8.2.0
                                          End including
                                          8.2.2
                                          cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*
                                          Start including
                                          8.2.0
                                          End including
                                          8.2.2
                                          cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*

                                          Конфигурация 3

                                          cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
                                          cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*

                                          Конфигурация 4

                                          cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

                                          Конфигурация 5

                                          cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
                                          cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

                                          Конфигурация 6

                                          cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
                                          cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
                                          cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*

                                          Конфигурация 7

                                          cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
                                          Running on/with:
                                          cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
                                          Running on/with:
                                          cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
                                          Running on/with:
                                          cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*
                                          Running on/with:
                                          cpe:2.3:o:redhat:enterprise_linux:7.7:*:*:*:*:*:*:*

                                          Конфигурация 8

                                          cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
                                          cpe:2.3:a:redhat:openstack:16.1:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.2:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.4:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.1:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.2:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.2:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.1:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.1:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.4:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.4:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.1:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.2:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.4:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:8.6:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_server_update_services_for_sap_solutions:8.6:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.6:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*
                                          cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.6:*:*:*:*:*:*:*
                                          cpe:2.3:a:redhat:openstack_for_ibm_power:16.1:*:*:*:*:*:*:*
                                      VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
                                      Версия: v24.5.3
                                      Наверх