Allele Security Alert
ASA-2019-00169
Identifier(s)
ASA-2019-00169, CVE-2019-0197
Title
mod_http2, possible crash on late upgrade
Vendor(s)
Apache Software Foundation
Product(s)
Apache HTTP Server (httpd)
Affected version(s)
Apache HTTP Server version 2.4.34 to 2.4.38
Fixed version(s)
Apache HTTP Server version 2.4.39
Proof of concept
Unknown
Description
When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Servers that never enabled the h2 protocol or only enabled it for https: and did not set “H2Upgrade on” are unaffected by this issue.
Technical details
Unknown
Credits
Stefan Eissing (greenbytes.de)
Reference(s)
httpd 2.4 vulnerabilities – The Apache HTTP Server Project
https://httpd.apache.org/security/vulnerabilities_24.html
CVE-2019-0197: mod_http2, possible crash on late upgrade
https://seclists.org/oss-sec/2019/q2/1
CVE-2019-0197
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0197
CVE-2019-0197
https://nvd.nist.gov/vuln/detail/CVE-2019-0197
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 2, 2019