Apache HTTP Server, which is colloquially referred to as Apache, is an open-source cross-platform web server software developed and maintained by a community of developers under the auspices of Apache Software Foundation.
While Apache flaws, tracked as CVE-2020-9490, CVE-2020-11984 and CVE-2020-11993, were disclosed by a member of Google Project Zero, named Felix Wilhelm, but since have been fixed by the Apache Foundation.
The Apache foundation fixed multiple vulnerabilities in the web server software that could have potentially allowed an attacker to execute arbitrary code, and in some specific cases, could even allow the attackers to cause a denial of service.
What's the nature of the Apache HTTP Server Flaws
The flaw tracked as (CVE-2020-11984) potentially allows an attacker to view, alter, or delete sensitive information depending on privileges associated with the application running on the Apache server.
And the second flaw (CVE-2020-11993) steps from debugging which is enabled in the "mod_http2" module, thus causing the logging statements to be made on wrong connection and thereby resulting to memory corruption due to concurrent log pool. While the flaw marked as CVE-2020-9490 is the most severe and resides in the HTTP/2 module using a specially crafted 'Cache-Digest' header to cause memory corruption leading to a denial of service.
If a specially crafted code is injected into the 'Cache-Digest' header in HTTP/2 request, it could potentially crash the server by sending a PUSH packet using the header, but this issue can be resolved by simply turning off the HTTP/2 server push feature.
How to Mitigate against the Apache HTTP Server Flaws
These vulnerabilities are not yet been exploited in the wild, but it is essential that users should carry out due testing and make sure that applications running on the server are configured with the required permissions to help mitigate further security impact.
And the latest version of the Apache software v2.4.46, should immediately be installed on the server application to prevent attackers from taking unauthorized control of the server.
No comments