CVE-2019-0197

Published: Jun 11, 2019Modified: Nov 21, 2024

4.2

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L

Exploitability: 1.6 / Impact: 2.5

Source: NVD

Description

A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Server that never enabled the h2 protocol or that only enabled it for https: and did not set "H2Upgrade on" are unaffected by this issue.

Affected (24)

Products: Apache: Http Server · Canonical: Ubuntu Linux · Fedoraproject: Fedora · +3 more

Show all products

Apache: Http Server · Canonical: Ubuntu Linux · Fedoraproject: Fedora · Opensuse: Leap · Redhat: Jboss Core Services · Oracle: Communications Session Report Manager, Communications Session Route Manager, Enterprise Manager Ops Center, Http Server, Instantis Enterprisetrack, Retail Xstore Point Of Service

1 product

1 product

1 product

1 product

1 product

6 products

Communications Session Report Manager

Communications Session Route Manager

Enterprise Manager Ops Center

Http Server

Instantis Enterprisetrack

Retail Xstore Point Of Service

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Http Server	From 2.4.34 to 2.4.38

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04
Canonical Ubuntu Linux	Version 19.04

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 30

Configuration D

2 vulnerable

Vulnerable Software	Affected Versions
Opensuse Leap	Version 15.0
Opensuse Leap	Version 42.3

Configuration E

1 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Redhat Jboss Core Services	Version 1.0

Running on/with	Platform Versions
Redhat Enterprise Linux	Version 6.0
Redhat Enterprise Linux	Version 7.0

Configuration F

16 vulnerable

Vulnerable Software	Affected Versions
Oracle Communications Session Report Manager	Version 8.0.0
Oracle Communications Session Report Manager	Version 8.1.0
Oracle Communications Session Report Manager	Version 8.1.1
Oracle Communications Session Report Manager	Version 8.2.0
Oracle Communications Session Route Manager	Version 8.0.0
Oracle Communications Session Route Manager	Version 8.1.0
Oracle Communications Session Route Manager	Version 8.1.1
Oracle Communications Session Route Manager	Version 8.2.0
Oracle Enterprise Manager Ops Center	Version 12.3.3
Oracle Enterprise Manager Ops Center	Version 12.4.0
Oracle Http Server	Version 12.2.1.3.0
Oracle Instantis Enterprisetrack	Version 17.1
Oracle Instantis Enterprisetrack	Version 17.2
Oracle Instantis Enterprisetrack	Version 17.3
Oracle Retail Xstore Point Of Service	Version 7.0
Oracle Retail Xstore Point Of Service	Version 7.1

Related CWEs

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

References (60)

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.html

Source: security@apache.org

Mailing ListPatchThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00061.html

Source: security@apache.org

Mailing ListPatchThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.html

Source: security@apache.org

Mailing ListPatchThird Party Advisory

http://www.openwall.com/lists/oss-security/2019/04/02/2

Source: security@apache.org

Mailing ListThird Party Advisory

http://www.securityfocus.com/bid/107665

Source: security@apache.org

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2019:3932

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3933

Source: security@apache.org

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3935

Source: security@apache.org

Third Party Advisory

https://httpd.apache.org/security/vulnerabilities_24.html

Source: security@apache.org

Vendor Advisory

https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/e0b8f6e858b1c8ec2ce8e291a2c543d438915037c7af661ab6d33808%40%3Cdev.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E

Source: security@apache.org

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WETXNQWNQLWHV6XNW6YTO5UGDTIWAQGT/

Source: security@apache.org

https://security.netapp.com/advisory/ntap-20190617-0002/

Source: security@apache.org

Third Party Advisory

https://support.f5.com/csp/article/K44591505

Source: security@apache.org

Third Party Advisory

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03950en_us

Source: security@apache.org

Third Party Advisory

https://usn.ubuntu.com/4113-1/

Source: security@apache.org

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2020.html

Source: security@apache.org

Third Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Source: security@apache.org

PatchThird Party Advisory

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Source: security@apache.org

PatchThird Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.html