CVE-2019-10097

httpd: null-pointer dereference in mod_remoteip

Severity Score

7.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.

En Apache HTTP Server versiones 2.4.32 hasta 2.4.39, cuando mod_remoteip se configuró para usar un servidor proxy intermediario de confianza que utiliza el protocolo "PROXY", un encabezado PROXY especialmente diseñado podría desencadenar un desbordamiento del búfer de la pila o una deferencia del puntero NULL. Esta vulnerabilidad solo puede ser activada por un proxy confiable y no por clientes HTTP no confiables.

A vulnerability was discovered in Apache httpd, in mod_remoteip. A trusted proxy using the "PROXY" protocol could send specially crafted headers that can cause httpd to experience a stack buffer overflow or NULL pointer dereference, leading to a crash or other potential consequences.

This issue could only be exploited by configured trusted intermediate proxy servers. HTTP clients such as browsers could not exploit the vulnerability.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-03-26 CVE Reserved
2019-08-27 CVE Published
2024-08-04 CVE Updated
2024-09-19 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free
CWE-476: NULL Pointer Dereference
CWE-787: Out-of-bounds Write

CAPEC

References (19)

URL	Tag	Source
https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r3c5c3104813c1c5508b55564b66546933079250a46ce50eee90b2e36%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E	Mailing List
https://www.oracle.com/security-alerts/cpuapr2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2020.html	Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html	Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2019:4126	2023-11-07
https://httpd.apache.org/security/vulnerabilities_24.html	2023-11-07
https://access.redhat.com/security/cve/CVE-2019-10097	2020-11-04
https://bugzilla.redhat.com/show_bug.cgi?id=1743996	2020-11-04

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.33 Search vendor "Apache" for product "Http Server" and version "2.4.33"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.34 Search vendor "Apache" for product "Http Server" and version "2.4.34"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.35 Search vendor "Apache" for product "Http Server" and version "2.4.35"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.37 Search vendor "Apache" for product "Http Server" and version "2.4.37"		-		Affected
Apache Search vendor "Apache"		Http Server Search vendor "Apache" for product "Http Server"				2.4.38 Search vendor "Apache" for product "Http Server" and version "2.4.38"		-		Affected
Oracle Search vendor "Oracle"		Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager"				8.0.0 Search vendor "Oracle" for product "Communications Element Manager" and version "8.0.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager"				8.1.0 Search vendor "Oracle" for product "Communications Element Manager" and version "8.1.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager"				8.1.1 Search vendor "Oracle" for product "Communications Element Manager" and version "8.1.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager"				8.2.0 Search vendor "Oracle" for product "Communications Element Manager" and version "8.2.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager"				8.1.1 Search vendor "Oracle" for product "Communications Session Report Manager" and version "8.1.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager"				8.2.0 Search vendor "Oracle" for product "Communications Session Report Manager" and version "8.2.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager"				8.2.1 Search vendor "Oracle" for product "Communications Session Report Manager" and version "8.2.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager"				8.1.1 Search vendor "Oracle" for product "Communications Session Route Manager" and version "8.1.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager"				8.2.0 Search vendor "Oracle" for product "Communications Session Route Manager" and version "8.2.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager"				8.2.1 Search vendor "Oracle" for product "Communications Session Route Manager" and version "8.2.1"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager Ops Center Search vendor "Oracle" for product "Enterprise Manager Ops Center"				12.3.3 Search vendor "Oracle" for product "Enterprise Manager Ops Center" and version "12.3.3"		-		Affected
Oracle Search vendor "Oracle"		Enterprise Manager Ops Center Search vendor "Oracle" for product "Enterprise Manager Ops Center"				12.4.0 Search vendor "Oracle" for product "Enterprise Manager Ops Center" and version "12.4.0"		-		Affected
Oracle Search vendor "Oracle"		Http Server Search vendor "Oracle" for product "Http Server"				12.2.1.4.0 Search vendor "Oracle" for product "Http Server" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Instantis Enterprisetrack Search vendor "Oracle" for product "Instantis Enterprisetrack"				>= 17.1 <= 17.3 Search vendor "Oracle" for product "Instantis Enterprisetrack" and version " >= 17.1 <= 17.3"		-		Affected
Oracle Search vendor "Oracle"		Retail Xstore Point Of Service Search vendor "Oracle" for product "Retail Xstore Point Of Service"				7.1 Search vendor "Oracle" for product "Retail Xstore Point Of Service" and version "7.1"		-		Affected