First published: Fri Aug 07 2020(Updated: )
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
Credit: security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
debian/apache2 | 2.4.62-1~deb11u1 2.4.62-1~deb11u2 2.4.62-1~deb12u2 2.4.63-1 | |
Apache Http Server | >=2.4.20<2.4.46 | |
Oracle Communications Element Manager | >=8.2.0<=8.2.2 | |
Oracle Communications Session Report Manager | >=8.2.0<=8.2.2 | |
Oracle Communications Session Route Manager | >=8.2.0<=8.2.2 | |
Oracle Enterprise Manager Ops Center | =12.4.0.0 | |
Oracle Hyperion Infrastructure Technology | =11.1.2.4 | |
Oracle Instantis EnterpriseTrack | =17.1 | |
Oracle Instantis EnterpriseTrack | =17.2 | |
Oracle Instantis EnterpriseTrack | =17.3 | |
Oracle Storage Cloud Software Appliance | =8.8 | |
SUSE Linux | =15.1 | |
SUSE Linux | =15.2 | |
Debian Linux | =10.0 | |
Red Hat Fedora | =31 | |
Red Hat Fedora | =32 | |
Ubuntu | =16.04 | |
Ubuntu | =18.04 | |
Ubuntu | =20.04 | |
All of | ||
Red Hat Software Collections | =1.0 | |
Any of | ||
Red Hat Enterprise Linux | =6.0 | |
Red Hat Enterprise Linux | =7.0 | |
Red Hat Enterprise Linux | =7.6 | |
Red Hat Enterprise Linux | =7.7 | |
Red Hat OpenStack for IBM Power | =16.1 | |
Red Hat OpenStack for IBM Power | =16.1 | |
Red Hat Enterprise Linux | =8.0 | |
Red Hat Enterprise Linux Server EUS | =8.1 | |
Red Hat Enterprise Linux Server EUS | =8.2 | |
Red Hat Enterprise Linux Server EUS | =8.4 | |
Red Hat Enterprise Linux Server EUS | =8.6 | |
Red Hat Enterprise Linux for IBM Z Systems | =8.0 | |
Red Hat Enterprise Linux for IBM Z Systems (s390x) | =8.1 | |
Red Hat Enterprise Linux for IBM Z Systems (s390x) | =8.2 | |
Red Hat Enterprise Linux for IBM Z Systems (s390x) | =8.4 | |
Red Hat Enterprise Linux for IBM Z Systems (s390x) | =8.6 | |
Red Hat Enterprise Linux for Power, little endian | =8.0 | |
Red Hat Enterprise Linux for Power, little endian - Extended Update Support | =8.1 | |
Red Hat Enterprise Linux for Power, little endian - Extended Update Support | =8.2 | |
Red Hat Enterprise Linux for Power, little endian - Extended Update Support | =8.4 | |
Red Hat Enterprise Linux for Power, little endian - Extended Update Support | =8.6 | |
Red Hat Enterprise Linux Server | =8.2 | |
Red Hat Enterprise Linux Server | =8.4 | |
Red Hat Enterprise Linux Server | =8.6 | |
Red Hat Enterprise Linux for SAP Applications for Power, little endian - Extended Update Support | =8.1 | |
Red Hat Enterprise Linux for SAP Applications for Power, little endian - Extended Update Support | =8.2 | |
Red Hat Enterprise Linux for SAP Applications for Power, little endian - Extended Update Support | =8.4 | |
Red Hat Enterprise Linux for SAP Applications for Power, little endian - Extended Update Support | =8.6 | |
Red Hat Enterprise Linux Server | =8.2 | |
Red Hat Enterprise Linux Server | =8.4 | |
Red Hat Enterprise Linux Server | =8.6 | |
Red Hat Enterprise Linux Server Update Services for SAP Solutions | =8.1 | |
Red Hat Enterprise Linux Server Update Services for SAP Solutions | =8.2 | |
Red Hat Enterprise Linux Server Update Services for SAP Solutions | =8.4 | |
Red Hat Enterprise Linux Server Update Services for SAP Solutions | =8.6 | |
Red Hat Software Collections | =1.0 | |
Red Hat Enterprise Linux | =6.0 | |
Red Hat Enterprise Linux | =7.0 | |
Red Hat Enterprise Linux | =7.6 | |
Red Hat Enterprise Linux | =7.7 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2020-9490 has a severity level that can cause a crash in affected Apache HTTP Server instances.
To mitigate CVE-2020-9490, configure the HTTP/2 feature by setting 'H2Push off' in your Apache HTTP Server configuration.
Apache HTTP Server versions 2.4.20 to 2.4.43 are impacted by CVE-2020-9490.
Exploiting CVE-2020-9490 can lead to unexpected crashes of the Apache HTTP Server.
While there is no specific patch, applying the mitigation by disabling HTTP/2 push can prevent its exploitation.