Apache 2 HTTP2 Module Concurrent Pool Usage

Risk: Medium
Local: No
Remote: Yes
CWE: CWE-444

CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

apache2: concurrent pool usage in http2 module h2_mplx.c contains a number of calls to ap_log_cerror using m->c (the master connection) as an argument. These calls can trigger allocations using the m->c->pool. One example is core_generate_log_id. As some of the code in h2_mplx.c is executed on a worker thread, it is possible that the main thread performs a parallel allocation and corrupts the pool. (apr memory pools are not thread-safe) Most logging calls are using DEBUG and TRACE levels and can't be exploited in a production environment. However, the task_done function calls ap_log_cerror with APLOG_INFO when throttling tasks, which can be triggered by a malicious client: h2_mplx.c:809 ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, m->c, H2_STRM_MSG(stream, \"redo, added to q\")); This bug is subject to a 90 day disclosure deadline. After 90 days elapse, the bug report will become visible to the public. The scheduled disclosure date is 2020-09-14. Disclosure at an earlier date is also possible if agreed upon by all parties. Related CVE Numbers: CVE-2020-11993. Found by: fwilhelm@google.com

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com


Back to Top