Vulnerability Description
A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. Server that never enabled the h2 protocol or that only enabled it for https: and did not set "H2Upgrade on" are unaffected by this issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Http Server | >= 2.4.34, <= 2.4.38 |
| Canonical | Ubuntu Linux | 16.04 |
| Fedoraproject | Fedora | 30 |
| Opensuse | Leap | 15.0 |
| Redhat | Jboss Core Services | 1.0 |
| Redhat | Enterprise Linux | 6.0 |
| Oracle | Communications Session Report Manager | 8.0.0 |
| Oracle | Communications Session Route Manager | 8.0.0 |
| Oracle | Enterprise Manager Ops Center | 12.3.3 |
| Oracle | Http Server | 12.2.1.3.0 |
| Oracle | Instantis Enterprisetrack | 17.1 |
| Oracle | Retail Xstore Point Of Service | 7.0 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.htmlMailing ListPatchThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00061.htmlMailing ListPatchThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.htmlMailing ListPatchThird Party Advisory
- http://www.openwall.com/lists/oss-security/2019/04/02/2Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/107665Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2019:3932Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3933Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3935Third Party Advisory
- https://httpd.apache.org/security/vulnerabilities_24.htmlVendor Advisory
- https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cd
- https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e10
- https://lists.apache.org/thread.html/e0b8f6e858b1c8ec2ce8e291a2c543d438915037c7a
- https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f60
- https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda
- https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37
FAQ
What is CVE-2019-0197?
CVE-2019-0197 is a vulnerability with a CVSS score of 4.2 (MEDIUM). A vulnerability was found in Apache HTTP Server 2.4.34 to 2.4.38. When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 ...
How severe is CVE-2019-0197?
CVE-2019-0197 has been rated MEDIUM with a CVSS base score of 4.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-0197?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Canonical Ubuntu Linux, Fedoraproject Fedora, Opensuse Leap, Redhat Jboss Core Services.