CVE-2020-11993
7.5 HIGH
📋 TL;DR
This vulnerability in Apache HTTP Server's HTTP/2 module allows concurrent memory pool misuse when trace/debug logging is enabled under specific traffic patterns. It affects Apache versions 2.4.20 through 2.4.43 with HTTP/2 enabled. Attackers could potentially cause denial of service or execute arbitrary code.
💻 Affected Systems
Products:
- Apache HTTP Server
Versions: 2.4.20 to 2.4.43
Operating Systems: All operating systems running affected Apache versions
Default Config Vulnerable:
✅ No
Notes: Requires HTTP/2 module enabled and trace/debug logging configured
📦 What is this software?
Communications Session Report Manager by Oracle
View all CVEs affecting Communications Session Report Manager →
Communications Session Route Manager by Oracle
View all CVEs affecting Communications Session Route Manager →
Fedora by Fedoraproject
Fedora by Fedoraproject
Hyperion Infrastructure Technology by Oracle
View all CVEs affecting Hyperion Infrastructure Technology →
Leap by Opensuse
Leap by Opensuse
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete server compromise and data exfiltration
Likely Case
Denial of service causing server crashes or instability
If Mitigated
Minimal impact with proper logging configuration or patching
🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM
🎯 Exploit Status
Public PoC:
⚠️ Yes
Weaponized:
LIKELY
Unauthenticated Exploit:
⚠️ Yes
Complexity:
MEDIUM
Exploit requires specific traffic patterns and logging configuration
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.44 or later
Vendor Advisory: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-11993
Restart Required: Yes
Instructions:
1. Download Apache 2.4.44 or later from official sources. 2. Backup current configuration. 3. Install updated version. 4. Restart Apache service.
🔧 Temporary Workarounds
Disable trace/debug logging for HTTP/2
allSet LogLevel for mod_http2 to 'info' or lower to prevent exploitation
In httpd.conf or appropriate config file, add: LogLevel http2:info
🧯 If You Can't Patch
- Disable HTTP/2 module entirely if not required
- Implement network segmentation and restrict access to affected servers
🔍 How to Verify
Check if Vulnerable:
Check Apache version with 'httpd -v' and verify HTTP/2 module is loaded and trace/debug logging is enabledCheck Version:
httpd -vVerify Fix Applied:
Confirm Apache version is 2.4.44+ and verify LogLevel for http2 module is not set to trace/debug📡 Detection & Monitoring
Log Indicators:
- Multiple concurrent memory pool errors in error logs
- Unexpected server crashes with HTTP/2 traffic
Network Indicators:
- Unusual HTTP/2 traffic patterns triggering debug logging
SIEM Query:
source="apache_error_log" AND ("concurrent pool" OR "http2" AND "trace" OR "debug")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00068.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00071.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00081.html
- http://packetstormsecurity.com/files/160393/Apache-2-HTTP2-Module-Concurrent-Pool-Usage.html
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-11993
- https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r09bb998baee74a2c316446bd1a41ae7f8d7049d09d9ff991471e8775%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r2c6083f6a2027914a0f5b54e2a1f4fa98c03f8693b58460911818255%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r5debe8f82728a00a4a68bc904dd6c35423bdfc8d601cfb4579f38bf1%40%3Cdev.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r623de9b2b2433a87f3f3a15900419fc9c00c77b26936dfea4060f672%40%3Cdev.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9e9f1a7609760f0f80562eaaec2aa3c32d525c3e0fca98b475240c71%40%3Cdev.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rdf3e5d0a5f5c3d90d6013bccc6c4d5af59cf1f8c8dea5d9a283d13ce%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf71eb428714374a6f9ad68952e23611ec7807b029fd6a1b4f5f732d9%40%3Ccvs.httpd.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NKWG2EXAQQB6LMLATKZ7KLSRGCSHVAN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITVFDBVM6E3JF3O7RYLRPRCH3RDRHJJY/
- https://security.gentoo.org/glsa/202008-04
- https://security.netapp.com/advisory/ntap-20200814-0005/
- https://usn.ubuntu.com/4458-1/
- https://www.debian.org/security/2020/dsa-4757
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00068.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00071.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00081.html
- http://packetstormsecurity.com/files/160393/Apache-2-HTTP2-Module-Concurrent-Pool-Usage.html
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-11993
- https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r09bb998baee74a2c316446bd1a41ae7f8d7049d09d9ff991471e8775%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r2c6083f6a2027914a0f5b54e2a1f4fa98c03f8693b58460911818255%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r5debe8f82728a00a4a68bc904dd6c35423bdfc8d601cfb4579f38bf1%40%3Cdev.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r623de9b2b2433a87f3f3a15900419fc9c00c77b26936dfea4060f672%40%3Cdev.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9e9f1a7609760f0f80562eaaec2aa3c32d525c3e0fca98b475240c71%40%3Cdev.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rdf3e5d0a5f5c3d90d6013bccc6c4d5af59cf1f8c8dea5d9a283d13ce%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf71eb428714374a6f9ad68952e23611ec7807b029fd6a1b4f5f732d9%40%3Ccvs.httpd.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4NKWG2EXAQQB6LMLATKZ7KLSRGCSHVAN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ITVFDBVM6E3JF3O7RYLRPRCH3RDRHJJY/
- https://security.gentoo.org/glsa/202008-04
- https://security.netapp.com/advisory/ntap-20200814-0005/
- https://usn.ubuntu.com/4458-1/
- https://www.debian.org/security/2020/dsa-4757
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
