Welcome back to this week's security bulletin!
Apache Web Server Software has reported three flaws. Install the software's latest available version to prevent hackers from taking unauthorised control over the Apache web server.
Apache recently fixed multiple vulnerabilities in its web server software that leads to the execution of arbitrary code and could allow hackers to cause a crash.
Felix Wilhelm of Google Project Zero uncovered the flaws and tracked them as CVE-2020-9490, CVE-2020-11984, CVE-2020-11993. The Apache Foundation has addressed these flaws in the latest Apache version (2.4.46).
The CVE-2020-11984 flaw can lead to possible remote code execution vulnerability due to a buffer overflow with the "mod_uwsgi" module. This flaw can potentially allow an adversary to view, change, or delete sensitive data of the webserver.
The CVE-2020-11993 flaw triggers a vulnerability when debugging mode is enabled in the "mod_http2" module. This flaw creates the logging statements in the wrong connection, resulting in memory corruption due to the concurrent log pool usage.
The CVE-2020-9490 flaw is the most severe of the three flaws, and it also resides in the HTTP/2 module. This flaw causes memory corruption leading to a crash and denial of service using a specially crafted "Cache Digest Header".
Cache Digest is a now-abandoned web optimization feature that aims to address an issue with server pushes, which allows a server to send responses to a client ahead of time preemptively. Cache Digest allows the clients to inform the server about their freshly cached contents to ensure bandwidth is not wasted in sending resources already available in the cache.
When a specially crafted value is injected in an HTTP/2 request into the 'Cache-Digest' header, it crashes when the server sends a PUSH packet using the Cache-Digest header. We can resolve this flaw by turning the HTTP/2 web server feature off on unpatched servers.
Although there are no current reports of these vulnerabilities being exploited in the wild, it is essential to apply patches on the vulnerable systems immediately after appropriate testing. Also, ensure that the webserver application has been configured with only the required permissions to mitigate this flaw's impact.