Mrs. Christiana Kozakou, is the Head of Marketing at Odyssey Cybersecurity, where she leads and oversees strategic marketing efforts for Odyssey and ClearSkies brands around the globe. Her expertise lies in designing and coordinating 360-degree marketing campaigns and crafting effective marketing penetration strategies for exploring new markets. Mrs. Kozakou is a dynamic professional driven by her passion for unleashing potential in every endeavour, leading a team of creative marketers, working together towards one goal: to give voice to Odyssey and its people so the world can become a cyber safer place. Throughout her 10 years career, Mrs. Kozakou has served in key roles in Advertising, Business Development and Digital Marketing in International companies. A fervent believer in empowering women, she served as a dedicated volunteer for IWIB’s International Team, fostering growth and opportunities for aspiring leaders. Her educational background boasts a Master of Business Administration (MBA), Bachelor’s degrees in Marketing and Sociology.
Three New Vulnerabilities Affecting Apache Web Servers
Threat Level Description
Threat Level: High - An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.
We have observed that 3 new vulnerabilities, affecting the Apache Web Servers, have been identified.
These vulnerabilities, tracked as CVE-2020-9490, CVE-2020-11984, CVE-2020-11993, could lead to the execution of arbitrary code and denial of service attacks.
The first flaw is a remote code execution vulnerability due to a buffer overflow in the “mod_uwsgi” module (CVE-2020-11984). This issue could allow an attacker to view, change, or delete sensitive data, depending on the privileges associated with an application running on the server.
The second vulnerability concerns a flaw that is triggered when debugging is enabled in the “mod_http2” module (CVE-2020-11993). It causes logging statements to be made on the wrong connection, resulting in memory corruption due to the concurrent log pool usage.
The third flaw (CVE-2020-9490), also resides in the HTTP/2 module, and uses a specially crafted “Cache-Digest” header to cause a memory corruption that could lead to denial of service.
“Cache Digest” is part of a now-abandoned web optimization feature that aims to address an issue with server “pushes”. “Cache Digest” allows a server to preemptively send responses to a client ahead of time by allowing the clients to inform the server of their freshly cached contents. Thus, the bandwidth is not wasted in sending resources that are already in the client’s cache.
When a specially crafted value is injected into the ‘Cache-Digest’ header, in an HTTP/2 request, it would cause a crash when the server sends a PUSH packet.
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
Apache HTTP Server versions 2.4.20 to 2.4.43 When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" will mitigate this vulnerability for unpatched servers.
Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE
You should immediately proceed and upgrade to the latest version of Apache Web Server software.
Note that the third vulnerability (CVE-2020-9490), can be resolved by turning the “HTTP/2 server push” feature off, on unpatched servers.
You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.