I. Overview

Apache has officially released a security notice, disclosing three security vulnerabilities (CVE-2020-9490, CVE-2020-11993, and CVE-2020-11984). The HTTP/2 buffer overflow vulnerability (CVE-2020-11984) is officially marked as critical. Attackers can exploit this vulnerability in the mod_proxy_uwsgi module of Apache to leak information or remotely execute code.

If you are an Apache HTTP/2 user, check your versions and implement timely security hardening.

For more information about this vulnerability, visit the following website:

https://httpd.apache.org/security/vulnerabilities_24.html

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache HTTP Server: 2.4.32-2.4.43

Secure versions:

Apache HTTP Server: 2.4.44 or later

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official releases. If your version falls into the affected range, upgrade it to a secure version.

Download link: https://httpd.apache.org/download.cgi

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.