Allele Security Alert
ASA-2019-00515
Identifier(s)
ASA-2019-00515, CVE-2019-10081
Title
mod_http2, memory corruption on early pushes
Vendor(s)
The Apache Software Foundation
Product(s)
Apache HTTP Server
Affected version(s)
Apache HTTP Server versions 2.4.20 to 2.4.39
Fixed version(s)
Apache HTTP Server version 2.4.41
Proof of concept
Unknown
Description
HTTP/2 very early pushes, for example configured with “H2PushResource”, could lead to an overwrite of memory in the pushing request’s pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client.
Technical details
Unknown
Credits
Craig Young (Tripwire VERT)
Reference(s)
httpd 2.4 vulnerabilities – The Apache HTTP Server Project
https://httpd.apache.org/security/vulnerabilities_24.html
CVE-2019-10081: mod_http2, memory corruption on early pushes
https://seclists.org/oss-sec/2019/q3/137
Apache HTTP Server 2.4.41 Released
https://www.apache.org/dist/httpd/Announcement2.4.html
CVE-2019-10081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10081
CVE-2019-10081
https://nvd.nist.gov/vuln/detail/CVE-2019-10081
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 21, 2019