Apache HTTP Server 2.4.67 critical patch against severe HTTP / 2 vulnerability that could cause denial of service and remote code execution

The Apache Foundation has published critical patches for the HTTP server after finding a serious vulnerability to HTTP / 2 management that can result in denial of service and, under certain conditions, in remote code execution. The corrected version is Apache HTTP Server 2.4.67 and the immediate recommendation for managers is to update as soon as possible the affected bodies that still implement 2.4.66 or earlier.

The problem is placed in the mod _ http2 flow cleaning logic and is a classic case of double memory release that can be shot by a sequence of HTTP / 2 lines sent by a client. In practical terms, this means that a remote attacker can cause a worker to block with a couple of well-formed packages; the denial of service is trivial to play in default deployments. The path to remote code execution (CERs) requires additional conditions - a mmap memory assignment in APR and a chain of steps to reuse the released direction - but researchers have shown that it is viable in laboratory under common Debian settings and in the official httpd Docker image.

That the exploitation of CERs depends on the mmap and elements such as the server's "scoreboard" makes some platforms more attractive: in Debian and in Docker's official image the default behavior facilitates the flow of the explosion. The multi-thread configurations with mod _ http2 enabled are the most exposed; the prefork MPM does not suffer this failure so temporarily switching to prefork can be a partial mitigation in environments where it is not possible to park immediately.

In addition to the patch, the immediate mitigation measures that should be considered are: update to 2.4.67 on all exposed servers, disable mod _ http2 if not strictly necessary, and check if the APR is using the mmap (a recombination of APR without mmap reduces the operating window). For container environments, be sure to rebuild and deploy images based on the corrected version of the server and make sure that the production images do not continue to use the vulnerable version.

Operators and security equipment should monitor clear abuse indicators: connection patterns that cause repeated workers' restart, core-braindumps, or unusual entries in httpd error records. Implement rate limits at the level of rocker or firewall, or force HTTP / 2 termination in a patched TLS proxy / terminator, may contain targeted attacks while the full park update is applied.

Vulnerability was reported by independent researchers and their CVSS rating (8.8 according to the report) highlights its impact. Although the road to CERs requires additional technical conditions and a certain degree of "spray" and information leakage, the denial of service attacks are simple and sufficient to justify the priority in the parking. For more technical details and the official list of corrections, see the Apache HTTP Server safety page and mod _ http2 documentation. https: / / httpd.apache.org / security / vulnerabilities _ 24.html and https: / / httpd.apache.org / docs / 2.4 / mod / mod _ http2.html.

In short: apply version 2.4.67 as soon as possible, prioritize Debian-based public servers and containers or the official image of httpd, consider temporary mitigation such as disabling mod _ http2 or switching to prefork if you cannot park immediately, and increase the monitoring of abnormal stability and traffic events on your HTTP / 2 front.