{ "threat_severity" : "Moderate", "public_date" : "2020-08-07T00:00:00Z", "bugzilla" : { "description" : "httpd: mod_proxy_uwsgi buffer overflow", "id" : "1866563", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1866563" }, "cvss3" : { "cvss3_base_score" : "9.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-119->CWE-400", "details" : [ "Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi info disclosure and possible RCE", "A flaw was found in Apache httpd in versions 2.4.32 to 2.4.46. The uwsgi protocol does not serialize more than 16K of HTTP header leading to resource exhaustion and denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability." ], "statement" : "Red Hat Enterprise Linux 5, 6, and 7 do not ship the vulnerable version of httpd and, thus, are not affected.", "acknowledgement" : "Red Hat would like to thank the Apache project for reporting this issue.", "affected_release" : [ { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-apr-0:1.6.3-104.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-apr-util-0:1.6.1-75.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-brotli-0:1.0.6-38.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-curl-0:7.64.1-44.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-httpd-0:2.4.37-64.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-jansson-0:2.11-53.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.14-11.Final_redhat_2.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_http2-0:1.15.7-11.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_jk-0:1.2.48-10.redhat_1.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_md-1:2.0.8-30.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_security-0:2.9.2-57.GA.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-nghttp2-0:1.39.2-34.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-openssl-1:1.1.1c-32.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-apr-0:1.6.3-104.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-apr-util-0:1.6.1-75.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-brotli-0:1.0.6-38.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-curl-0:7.64.1-44.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-httpd-0:2.4.37-64.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-jansson-0:2.11-53.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.14-11.Final_redhat_2.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_http2-0:1.15.7-11.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_jk-0:1.2.48-10.redhat_1.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_md-1:2.0.8-30.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_security-0:2.9.2-57.GA.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-nghttp2-0:1.39.2-34.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-openssl-1:1.1.1c-32.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4384", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-openssl-chil-0:1.0.0-1.jbcs.el7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2021-05-18T00:00:00Z", "advisory" : "RHSA-2021:1809", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "httpd:2.4-8040020210127115317.9f9e2e7e" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2020-12-01T00:00:00Z", "advisory" : "RHBA-2020:5280", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-httpd-0:2.4.34-22.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2020-12-01T00:00:00Z", "advisory" : "RHBA-2020:5280", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-httpd-0:2.4.34-22.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2020-12-01T00:00:00Z", "advisory" : "RHBA-2020:5280", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-httpd-0:2.4.34-22.el7" }, { "product_name" : "Text-Only JBCS", "release_date" : "2020-10-28T00:00:00Z", "advisory" : "RHSA-2020:4383", "cpe" : "cpe:/a:redhat:jboss_core_services:1", "package" : "httpd" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "httpd", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Out of support scope", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-11984\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-11984\nhttps://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-11984" ], "name" : "CVE-2020-11984", "mitigation" : { "value" : "This flaw only affects specific httpd configurations which use the uwsgi protocol. It does not manifest itself when uwsgi protocol is not used. Commenting out \"LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so\" in /etc/httpd/conf.modules.d/00-proxy.conf will disable the loading of the vulnerable module.", "lang" : "en:us" }, "csaw" : false }