CVE-2020-9490

Summary

CVE	CVE-2020-9490
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-08-07 16:15:00 UTC
Updated	2023-11-07 03:26:00 UTC
Description	Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.

Risk And Classification

Problem Types: CWE-444

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Http Server	All	All	All	All
Application	Apache	Http Server	All	All	All	All
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Canonical	Ubuntu Linux	18.04	All	All	All
Operating System	Canonical	Ubuntu Linux	20.04	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Fedoraproject	Fedora	31	All	All	All
Operating System	Fedoraproject	Fedora	32	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Operating System	Opensuse	Leap	15.2	All	All	All
Application	Oracle	Communications Element Manager	All	All	All	All
Application	Oracle	Communications Session Report Manager	All	All	All	All
Application	Oracle	Communications Session Route Manager	All	All	All	All
Application	Oracle	Enterprise Manager Ops Center	12.4.0.0	All	All	All
Application	Oracle	Hyperion Infrastructure Technology	11.1.2.4	All	All	All
Application	Oracle	Instantis Enterprisetrack	17.1	All	All	All
Application	Oracle	Instantis Enterprisetrack	17.2	All	All	All
Application	Oracle	Instantis Enterprisetrack	17.3	All	All	All
Application	Oracle	Zfs Storage Appliance Kit	8.8	All	All	All
Operating System	Redhat	Enterprise Linux	6.0	All	All	All
Operating System	Redhat	Enterprise Linux	7.0	All	All	All
Operating System	Redhat	Enterprise Linux	7.6	All	All	All
Operating System	Redhat	Enterprise Linux	7.7	All	All	All
Operating System	Redhat	Enterprise Linux	8.0	All	All	All
Operating System	Redhat	Enterprise Linux Eus	8.1	All	All	All
Operating System	Redhat	Enterprise Linux Eus	8.2	All	All	All
Operating System	Redhat	Enterprise Linux Eus	8.4	All	All	All
Operating System	Redhat	Enterprise Linux Eus	8.6	All	All	All
Operating System	Redhat	Enterprise Linux For Ibm Z Systems	8.0	All	All	All
Operating System	Redhat	Enterprise Linux For Ibm Z Systems Eus	8.1	All	All	All
Operating System	Redhat	Enterprise Linux For Ibm Z Systems Eus	8.2	All	All	All
Operating System	Redhat	Enterprise Linux For Ibm Z Systems Eus	8.4	All	All	All
Operating System	Redhat	Enterprise Linux For Ibm Z Systems Eus	8.6	All	All	All
Operating System	Redhat	Enterprise Linux For Power Little Endian	8.0	All	All	All
Operating System	Redhat	Enterprise Linux For Power Little Endian Eus	8.1	All	All	All
Operating System	Redhat	Enterprise Linux For Power Little Endian Eus	8.2	All	All	All
Operating System	Redhat	Enterprise Linux For Power Little Endian Eus	8.4	All	All	All
Operating System	Redhat	Enterprise Linux For Power Little Endian Eus	8.6	All	All	All
Operating System	Redhat	Enterprise Linux Server Aus	8.2	All	All	All
Operating System	Redhat	Enterprise Linux Server Aus	8.4	All	All	All
Operating System	Redhat	Enterprise Linux Server Aus	8.6	All	All	All
Operating System	Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	8.1	All	All	All
Operating System	Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	8.2	All	All	All
Operating System	Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	8.4	All	All	All
Operating System	Redhat	Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions	8.6	All	All	All
Operating System	Redhat	Enterprise Linux Server Tus	8.2	All	All	All
Operating System	Redhat	Enterprise Linux Server Tus	8.4	All	All	All
Operating System	Redhat	Enterprise Linux Server Tus	8.6	All	All	All
Operating System	Redhat	Enterprise Linux Server Update Services For Sap Solutions	8.1	All	All	All
Operating System	Redhat	Enterprise Linux Server Update Services For Sap Solutions	8.2	All	All	All
Operating System	Redhat	Enterprise Linux Server Update Services For Sap Solutions	8.4	All	All	All
Operating System	Redhat	Enterprise Linux Server Update Services For Sap Solutions	8.6	All	All	All
Application	Redhat	Openstack	16.1	All	All	All
Application	Redhat	Openstack For Ibm Power	16.1	All	All	All
Application	Redhat	Software Collections	1.0	All	All	All

References

Reference	Source	Link	Tags
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
[security-announce] openSUSE-SU-2020:1285-1: moderate: Security update f	SUSE	lists.opensuse.org
Apache httpd 2.4 vulnerabilities - The Apache HTTP Server Project	MISC	httpd.apache.org	Vendor Advisory
Pony Mail!	MLIST	lists.apache.org	Vendor Advisory
Pony Mail!		lists.apache.org
Apache 2.4.43 mod_http2 Memory Corruption ≈ Packet Storm	MISC	packetstormsecurity.com
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Debian -- Security Information -- DSA-4757-1 apache2	DEBIAN	www.debian.org
[SECURITY] Fedora 32 Update: mod_http2-1.15.14-1.fc32 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Vendor Advisory
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Oracle Critical Patch Update Advisory - October 2020	MISC	www.oracle.com
[SECURITY] Fedora 31 Update: mod_http2-1.15.14-1.fc31 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[security-announce] openSUSE-SU-2020:1792-1: important: Security update	SUSE	lists.opensuse.org
Pony Mail!		lists.apache.org
August 2020 Apache HTTP Server Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[security-announce] openSUSE-SU-2020:1293-1: moderate: Security update f	SUSE	lists.opensuse.org
Pony Mail!	MLIST	lists.apache.org	Vendor Advisory
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
[SECURITY] Fedora 31 Update: mod_http2-1.15.14-1.fc31 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Apache: Multiple vulnerabilities (GLSA 202008-04) — Gentoo security	GENTOO	security.gentoo.org	Third Party Advisory
Pony Mail!		lists.apache.org
[SECURITY] Fedora 32 Update: mod_http2-1.15.14-1.fc32 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
USN-4458-1: Apache HTTP Server vulnerabilities \| Ubuntu security notices \| Ubuntu	UBUNTU	usn.ubuntu.com
Oracle Critical Patch Update Advisory - January 2021	MISC	www.oracle.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

296072 Oracle Solaris 11.4 Support Repository Update (SRU) 25.75.3 Missing (CPUJUL2020)
377378 Alibaba Cloud Linux Security Update for httpd:2.4 (ALINUX3-SA-2022:0017)
500020 Alpine Linux Security Update for apache2
503711 Alpine Linux Security Update for apache2
690506 Free Berkeley Software Distribution (FreeBSD) Security Update for apache httpd (76700d2f-d959-11ea-b53c-d4c9ef517024)
900119 CBL-Mariner Linux Security Update for httpd 2.4.43
903641 Common Base Linux Mariner (CBL-Mariner) Security Update for httpd (1976)