Rapid7 Vulnerability & Exploit Database

FreeBSD: VID-CAF545F2-C0D9-11E9-9051-4C72B94353B5 (CVE-2019-10092): Apache -- Multiple vulnerabilities

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

FreeBSD: VID-CAF545F2-C0D9-11E9-9051-4C72B94353B5 (CVE-2019-10092): Apache -- Multiple vulnerabilities

Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Published
08/14/2019
Created
08/20/2019
Added
08/18/2019
Modified
10/01/2019

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From VID-CAF545F2-C0D9-11E9-9051-4C72B94353B5:

SO-AND-SO reports:

SECURITY: CVE-2019-10081

mod_http2: HTTP/2 very early pushes, for example configured with "H2PushResource",

could lead to an overwrite of memory in the pushing request's pool,

leading to crashes. The memory copied is that of the configured push

link header values, not data supplied by the client.

SECURITY: CVE-2019-9517

mod_http2: a malicious client could perform a DoS attack by flooding

a connection with requests and basically never reading responses

on the TCP connection. Depending on h2 worker dimensioning, it was

possible to block those with relatively few connections.

SECURITY: CVE-2019-10098

rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable

matches and substitutions with encoded line break characters.

SECURITY: CVE-2019-10092

Remove HTML-escaped URLs from canned error responses to prevent misleading

text/links being displayed via crafted links.

SECURITY: CVE-2019-10097

mod_remoteip: Fix stack buffer overflow and NULL pointer deference

when reading the PROXY protocol header.

CVE-2019-10082

mod_http2: Using fuzzed network input, the http/2 session

handling could be made to read memory after being freed,

during connection shutdown.

Solution(s)

  • freebsd-upgrade-package-apache24

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;