Kayran has detected that the Version of Apache HTTP Server being used is vulnerable to a ‘Push Diary Crash on a Specifically Crafted HTTP/2 Header’.
CVE-2020-9490 is categorized as a ‘Inconsistent Interpretation of HTTP Requests’ vulnerability, otherwise known as ‘HTTP Request/Response Smuggling’ (CWE-444).
CWE-444 occurs when the product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server.
But in fact, it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages should be processed by those entities that are at the ultimate destination.
In the version being used, a specially crafted value for the ‘Cache-Digest’ header in a HTTP/2 request could result in crashes. Which could happen when the server is actually trying to HTTP/2 PUSH a resource afterwards.
It could lead to a decrease in performance and interruptions in the availability of resources.
Configuring the HTTP/2 feature by toggling “H2Push off” could mitigate CVE-2020-9490 for any unpatched servers.
Also, upgrade the version of Apache HTTP Server being used to 2.4.44.