CVE-2020-9490 : What You Need to Know
Learn about CVE-2020-9490 affecting Apache HTTP Server versions 2.4.20 to 2.4.43. Understand the impact, technical details, and mitigation steps for this vulnerability.
Apache HTTP Server versions 2.4.20 to 2.4.43 are affected by a vulnerability related to the 'Cache-Digest' header in HTTP/2 requests.
Understanding CVE-2020-9490
This CVE involves a specific issue in Apache HTTP Server versions 2.4.20 to 2.4.43.
What is CVE-2020-9490?
CVE-2020-9490 is a vulnerability in Apache HTTP Server versions 2.4.20 to 2.4.43 that can lead to a crash when the server attempts to HTTP/2 PUSH a resource after receiving a specially crafted value for the 'Cache-Digest' header in an HTTP/2 request.
The Impact of CVE-2020-9490
The vulnerability can result in a crash of the server when trying to push a resource after receiving a manipulated 'Cache-Digest' header in an HTTP/2 request.
Technical Details of CVE-2020-9490
Apache HTTP Server versions 2.4.20 to 2.4.43 are affected by this vulnerability.
Vulnerability Description
A specially crafted value for the 'Cache-Digest' header in an HTTP/2 request can cause a crash when the server attempts to HTTP/2 PUSH a resource.
Affected Systems and Versions
- Product: Apache HTTP Server
- Versions: 2.4.20 to 2.4.43
Exploitation Mechanism
The vulnerability is exploited by sending a manipulated 'Cache-Digest' header in an HTTP/2 request, leading to a crash when the server tries to push a resource.
Mitigation and Prevention
To address CVE-2020-9490, consider the following steps:
Immediate Steps to Take
- Configure the HTTP/2 feature via "H2Push off" to mitigate the vulnerability for unpatched servers.
Long-Term Security Practices
- Regularly update and patch Apache HTTP Server to the latest version.
- Monitor security advisories and apply relevant security updates promptly.
Patching and Updates
Ensure that Apache HTTP Server is updated to a version that includes a fix for CVE-2020-9490.