First published: Fri Aug 07 2020(Updated: )
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/apache2 | 2.4.62-1~deb11u1 2.4.62-1~deb11u2 2.4.62-1~deb12u2 2.4.63-1 | |
Apache Http Server | >=2.4.20<2.4.46 | |
oracle communications element manager | >=8.2.0<=8.2.2 | |
oracle communications session report manager | >=8.2.0<=8.2.2 | |
oracle communications session route manager | >=8.2.0<=8.2.2 | |
Oracle Enterprise Manager Ops Center | =12.4.0.0 | |
oracle hyperion infrastructure technology | =11.1.2.4 | |
oracle instantis enterprisetrack | =17.1 | |
oracle instantis enterprisetrack | =17.2 | |
oracle instantis enterprisetrack | =17.3 | |
Oracle Sun ZFS Storage Appliance Kit | =8.8 | |
openSUSE | =15.1 | |
openSUSE | =15.2 | |
Debian | =10.0 | |
Fedora | =31 | |
Fedora | =32 | |
Ubuntu | =16.04 | |
Ubuntu | =18.04 | |
Ubuntu | =20.04 | |
All of | ||
redhat software collections | =1.0 | |
Any of | ||
Red Hat Enterprise Linux | =6.0 | |
Red Hat Enterprise Linux | =7.0 | |
Red Hat Enterprise Linux | =7.6 | |
Red Hat Enterprise Linux | =7.7 | |
redhat openstack | =16.1 | |
redhat openstack for ibm power | =16.1 | |
Red Hat Enterprise Linux | =8.0 | |
redhat enterprise Linux eus | =8.1 | |
redhat enterprise Linux eus | =8.2 | |
redhat enterprise Linux eus | =8.4 | |
redhat enterprise Linux eus | =8.6 | |
redhat enterprise Linux for ibm z systems | =8.0 | |
redhat enterprise Linux for ibm z systems eus | =8.1 | |
redhat enterprise Linux for ibm z systems eus | =8.2 | |
redhat enterprise Linux for ibm z systems eus | =8.4 | |
redhat enterprise Linux for ibm z systems eus | =8.6 | |
redhat enterprise Linux for power little endian | =8.0 | |
redhat enterprise Linux for power little endian eus | =8.1 | |
redhat enterprise Linux for power little endian eus | =8.2 | |
redhat enterprise Linux for power little endian eus | =8.4 | |
redhat enterprise Linux for power little endian eus | =8.6 | |
redhat enterprise Linux server aus | =8.2 | |
redhat enterprise Linux server aus | =8.4 | |
redhat enterprise Linux server aus | =8.6 | |
redhat enterprise Linux server for power little endian update services for sap solutions | =8.1 | |
redhat enterprise Linux server for power little endian update services for sap solutions | =8.2 | |
redhat enterprise Linux server for power little endian update services for sap solutions | =8.4 | |
redhat enterprise Linux server for power little endian update services for sap solutions | =8.6 | |
redhat enterprise Linux server tus | =8.2 | |
redhat enterprise Linux server tus | =8.4 | |
redhat enterprise Linux server tus | =8.6 | |
redhat enterprise Linux server update services for sap solutions | =8.1 | |
redhat enterprise Linux server update services for sap solutions | =8.2 | |
redhat enterprise Linux server update services for sap solutions | =8.4 | |
redhat enterprise Linux server update services for sap solutions | =8.6 | |
redhat software collections | =1.0 | |
Red Hat Enterprise Linux | =6.0 | |
Red Hat Enterprise Linux | =7.0 | |
Red Hat Enterprise Linux | =7.6 | |
Red Hat Enterprise Linux | =7.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-9490 has a severity level that can cause a crash in affected Apache HTTP Server instances.
To mitigate CVE-2020-9490, configure the HTTP/2 feature by setting 'H2Push off' in your Apache HTTP Server configuration.
Apache HTTP Server versions 2.4.20 to 2.4.43 are impacted by CVE-2020-9490.
Exploiting CVE-2020-9490 can lead to unexpected crashes of the Apache HTTP Server.
While there is no specific patch, applying the mitigation by disabling HTTP/2 push can prevent its exploitation.