Allele Security Alert
Stack buffer overflow and NULL pointer dereference in mod_remoteip
The Apache Software Foundation
Apache HTTP Server
Apache HTTP Server versions 2.4.32 to 2.4.39
Apache HTTP Server version 2.4.41
Proof of concept
When mod_remoteip was configured to use a trusted intermediary proxy server using the “PROXY” protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.
Daniel McCarney (Let’s Encrypt / Internet Security Research Group (ISRG))
httpd 2.4 vulnerabilities – The Apache HTTP Server Project
CVE-2019-10097: mod_remoteip stack buffer overflow and NULL pointer dereference
Apache HTTP Server 2.4.41 Released
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: August 21, 2019