Red Hat update for Red Hat JBoss Core Services Apache HTTP Server 2.4.37 SP3
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2018-20843 CVE-2019-0196 CVE-2019-0197 CVE-2019-15903 CVE-2019-19956 CVE-2019-20388 CVE-2020-1934 CVE-2020-7595 CVE-2020-11080 |
| CWE-ID | CWE-611 CWE-416 CWE-399 CWE-125 CWE-401 CWE-457 CWE-835 CWE-400 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #4 is available. |
| Vulnerable software Subscribe |
jbcs-httpd24-mod_http2 (Red Hat package) Operating systems & Components / Operating system package or component jbcs-httpd24-httpd (Red Hat package) Operating systems & Components / Operating system package or component jbcs-httpd24-nghttp2 (Red Hat package) Operating systems & Components / Operating system package or component jbcs-httpd24-mod_security (Red Hat package) Operating systems & Components / Operating system package or component jbcs-httpd24-curl (Red Hat package) Operating systems & Components / Operating system package or component jbcs-httpd24-openssl-pkcs11 (Red Hat package) Operating systems & Components / Operating system package or component jbcs-httpd24-mod_md (Red Hat package) Operating systems & Components / Operating system package or component |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) XML External Entity injection
EUVDB-ID: #VU18923
Risk: Medium
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C]
CVE-ID: CVE-2018-20843
CWE-ID:
CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied XML input including XML names that contain a large number of colons. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.
Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.
MitigationInstall updates from vendor's website.
jbcs-httpd24-mod_http2 (Red Hat package): 1.11.3-8.jbcs.el6 - 1.11.3-22.jbcs.el7
jbcs-httpd24-httpd (Red Hat package): 2.4.37-33.jbcs.el6 - 2.4.37-52.jbcs.el7
jbcs-httpd24-nghttp2 (Red Hat package): 1.39.2-1.jbcs.el6 - 1.39.2-10.jbcs.el7
jbcs-httpd24-mod_security (Red Hat package): 2.9.2-16.GA.jbcs.el6 - 2.9.2-20.GA.jbcs.el7
jbcs-httpd24-curl (Red Hat package): 7.64.1-14.jbcs.el6 - 7.64.1-21.jbcs.el7
jbcs-httpd24-openssl-pkcs11 (Red Hat package): before 0.4.10-7.jbcs.el7
jbcs-httpd24-mod_md (Red Hat package): before 2.0.8-24.jbcs.el7
External linkshttp://access.redhat.com/errata/RHSA-2020:2644
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
2) Use-after-free
EUVDB-ID: #VU18109
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-0196
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform denial of service attack.
The vulnerability exists due to a use-after-free error within the mod_http2 module when processing HTTP/2 requests. A remote attacker can make the application to access freed memory during string comparison when determining the method of a request and process the request incorrectly.
Successful exploitation of the vulnerability may allow an attacker to gain access to sensitive information or perform a denial of service attack.
MitigationInstall updates from vendor's website.
jbcs-httpd24-mod_http2 (Red Hat package): 1.11.3-8.jbcs.el6 - 1.11.3-22.jbcs.el7
jbcs-httpd24-httpd (Red Hat package): 2.4.37-33.jbcs.el6 - 2.4.37-52.jbcs.el7
jbcs-httpd24-nghttp2 (Red Hat package): 1.39.2-1.jbcs.el6 - 1.39.2-10.jbcs.el7
jbcs-httpd24-mod_security (Red Hat package): 2.9.2-16.GA.jbcs.el6 - 2.9.2-20.GA.jbcs.el7
jbcs-httpd24-curl (Red Hat package): 7.64.1-14.jbcs.el6 - 7.64.1-21.jbcs.el7
jbcs-httpd24-openssl-pkcs11 (Red Hat package): before 0.4.10-7.jbcs.el7
jbcs-httpd24-mod_md (Red Hat package): before 2.0.8-24.jbcs.el7
External linkshttp://access.redhat.com/errata/RHSA-2020:2644
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource management error
EUVDB-ID: #VU18108
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-0197
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to an error within the mod_http2 module when processing update requests from http/1.1 to http/2, if this was not the first request on a connection. A remote attacker can send specially crafted requests to the affected server and perform denial of service attack.
Successful exploitation of the vulnerability requires that HTTP/2 protocol is enabled for a "http:" host or H2Upgrade is enabled for h2 on a "https:" host.
Install updates from vendor's website.
jbcs-httpd24-mod_http2 (Red Hat package): 1.11.3-8.jbcs.el6 - 1.11.3-22.jbcs.el7
jbcs-httpd24-httpd (Red Hat package): 2.4.37-33.jbcs.el6 - 2.4.37-52.jbcs.el7
jbcs-httpd24-nghttp2 (Red Hat package): 1.39.2-1.jbcs.el6 - 1.39.2-10.jbcs.el7
jbcs-httpd24-mod_security (Red Hat package): 2.9.2-16.GA.jbcs.el6 - 2.9.2-20.GA.jbcs.el7
jbcs-httpd24-curl (Red Hat package): 7.64.1-14.jbcs.el6 - 7.64.1-21.jbcs.el7
jbcs-httpd24-openssl-pkcs11 (Red Hat package): before 0.4.10-7.jbcs.el7
jbcs-httpd24-mod_md (Red Hat package): before 2.0.8-24.jbcs.el7
External linkshttp://access.redhat.com/errata/RHSA-2020:2644
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Out-of-bounds read
EUVDB-ID: #VU21091
Risk: Medium
CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-15903
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information or perform denial of service (DoS) attack.
The vulnerability exists due to a boundary error when processing XML documents within the expat library. A remote attacker can create a specially crafted XML file, pass it to the affected application, trigger out-of-bounds read error and read contents of memory on the system or crash the affected application.
MitigationInstall updates from vendor's website.
jbcs-httpd24-mod_http2 (Red Hat package): 1.11.3-8.jbcs.el6 - 1.11.3-22.jbcs.el7
jbcs-httpd24-httpd (Red Hat package): 2.4.37-33.jbcs.el6 - 2.4.37-52.jbcs.el7
jbcs-httpd24-nghttp2 (Red Hat package): 1.39.2-1.jbcs.el6 - 1.39.2-10.jbcs.el7
jbcs-httpd24-mod_security (Red Hat package): 2.9.2-16.GA.jbcs.el6 - 2.9.2-20.GA.jbcs.el7
jbcs-httpd24-curl (Red Hat package): 7.64.1-14.jbcs.el6 - 7.64.1-21.jbcs.el7
jbcs-httpd24-openssl-pkcs11 (Red Hat package): before 0.4.10-7.jbcs.el7
jbcs-httpd24-mod_md (Red Hat package): before 2.0.8-24.jbcs.el7
External linkshttp://access.redhat.com/errata/RHSA-2020:2644
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
5) Memory leak
EUVDB-ID: #VU24489
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-19956
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak in xmlParseBalancedChunkMemoryRecover in parser.c. A remote attacker can trigger a memory leak related to newDoc->oldNs and perform denial of service attack.
MitigationInstall updates from vendor's website.
jbcs-httpd24-mod_http2 (Red Hat package): 1.11.3-8.jbcs.el6 - 1.11.3-22.jbcs.el7
jbcs-httpd24-httpd (Red Hat package): 2.4.37-33.jbcs.el6 - 2.4.37-52.jbcs.el7
jbcs-httpd24-nghttp2 (Red Hat package): 1.39.2-1.jbcs.el6 - 1.39.2-10.jbcs.el7
jbcs-httpd24-mod_security (Red Hat package): 2.9.2-16.GA.jbcs.el6 - 2.9.2-20.GA.jbcs.el7
jbcs-httpd24-curl (Red Hat package): 7.64.1-14.jbcs.el6 - 7.64.1-21.jbcs.el7
jbcs-httpd24-openssl-pkcs11 (Red Hat package): before 0.4.10-7.jbcs.el7
jbcs-httpd24-mod_md (Red Hat package): before 2.0.8-24.jbcs.el7
External linkshttp://access.redhat.com/errata/RHSA-2020:2644
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Memory leak
EUVDB-ID: #VU24487
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-20388
CWE-ID:
CWE-401 - Missing release of memory after effective lifetime
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform DoS attack on the target system.
The vulnerability exists due memory leak in xmlSchemaPreRun in xmlschemas.c. A remote attacker can trigger a xmlSchemaValidateStream memory leak and perform denial of service attack.
MitigationInstall updates from vendor's website.
jbcs-httpd24-mod_http2 (Red Hat package): 1.11.3-8.jbcs.el6 - 1.11.3-22.jbcs.el7
jbcs-httpd24-httpd (Red Hat package): 2.4.37-33.jbcs.el6 - 2.4.37-52.jbcs.el7
jbcs-httpd24-nghttp2 (Red Hat package): 1.39.2-1.jbcs.el6 - 1.39.2-10.jbcs.el7
jbcs-httpd24-mod_security (Red Hat package): 2.9.2-16.GA.jbcs.el6 - 2.9.2-20.GA.jbcs.el7
jbcs-httpd24-curl (Red Hat package): 7.64.1-14.jbcs.el6 - 7.64.1-21.jbcs.el7
jbcs-httpd24-openssl-pkcs11 (Red Hat package): before 0.4.10-7.jbcs.el7
jbcs-httpd24-mod_md (Red Hat package): before 2.0.8-24.jbcs.el7
External linkshttp://access.redhat.com/errata/RHSA-2020:2644
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Use of Uninitialized Variable
EUVDB-ID: #VU26528
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-1934
CWE-ID:
CWE-457 - Use of Uninitialized Variable
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the "mod_proxy_ftp" may use uninitialized memory when proxying to a malicious FTP server. A remote attacker can gain unauthorized access to sensitive information on the target system.
MitigationInstall updates from vendor's website.
jbcs-httpd24-mod_http2 (Red Hat package): 1.11.3-8.jbcs.el6 - 1.11.3-22.jbcs.el7
jbcs-httpd24-httpd (Red Hat package): 2.4.37-33.jbcs.el6 - 2.4.37-52.jbcs.el7
jbcs-httpd24-nghttp2 (Red Hat package): 1.39.2-1.jbcs.el6 - 1.39.2-10.jbcs.el7
jbcs-httpd24-mod_security (Red Hat package): 2.9.2-16.GA.jbcs.el6 - 2.9.2-20.GA.jbcs.el7
jbcs-httpd24-curl (Red Hat package): 7.64.1-14.jbcs.el6 - 7.64.1-21.jbcs.el7
jbcs-httpd24-openssl-pkcs11 (Red Hat package): before 0.4.10-7.jbcs.el7
jbcs-httpd24-mod_md (Red Hat package): before 2.0.8-24.jbcs.el7
External linkshttp://access.redhat.com/errata/RHSA-2020:2644
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Infinite loop
EUVDB-ID: #VU24488
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-7595
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in xmlStringLenDecodeEntities in parser.c. A remote attacker can consume all available system resources and cause denial of service conditions in a certain end-of-file situation.
MitigationInstall updates from vendor's website.
jbcs-httpd24-mod_http2 (Red Hat package): 1.11.3-8.jbcs.el6 - 1.11.3-22.jbcs.el7
jbcs-httpd24-httpd (Red Hat package): 2.4.37-33.jbcs.el6 - 2.4.37-52.jbcs.el7
jbcs-httpd24-nghttp2 (Red Hat package): 1.39.2-1.jbcs.el6 - 1.39.2-10.jbcs.el7
jbcs-httpd24-mod_security (Red Hat package): 2.9.2-16.GA.jbcs.el6 - 2.9.2-20.GA.jbcs.el7
jbcs-httpd24-curl (Red Hat package): 7.64.1-14.jbcs.el6 - 7.64.1-21.jbcs.el7
jbcs-httpd24-openssl-pkcs11 (Red Hat package): before 0.4.10-7.jbcs.el7
jbcs-httpd24-mod_md (Red Hat package): before 2.0.8-24.jbcs.el7
External linkshttp://access.redhat.com/errata/RHSA-2020:2644
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Resource exhaustion
EUVDB-ID: #VU28538
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-11080
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when processing HTTP/2 SETTINGS frames. A remote attacker can trigger high CPU load by sending large HTTP/2 SETTINGS frames and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
jbcs-httpd24-mod_http2 (Red Hat package): 1.11.3-8.jbcs.el6 - 1.11.3-22.jbcs.el7
jbcs-httpd24-httpd (Red Hat package): 2.4.37-33.jbcs.el6 - 2.4.37-52.jbcs.el7
jbcs-httpd24-nghttp2 (Red Hat package): 1.39.2-1.jbcs.el6 - 1.39.2-10.jbcs.el7
jbcs-httpd24-mod_security (Red Hat package): 2.9.2-16.GA.jbcs.el6 - 2.9.2-20.GA.jbcs.el7
jbcs-httpd24-curl (Red Hat package): 7.64.1-14.jbcs.el6 - 7.64.1-21.jbcs.el7
jbcs-httpd24-openssl-pkcs11 (Red Hat package): before 0.4.10-7.jbcs.el7
jbcs-httpd24-mod_md (Red Hat package): before 2.0.8-24.jbcs.el7
External linkshttp://access.redhat.com/errata/RHSA-2020:2644
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
