CVE-2019-10097

Published: 14 August 2019

In Apache HTTP Server 2.4.32-2.4.39, when mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients.

Priority

Medium

CVSS 3 base score: 7.2

Status

Package Release Status
apache2
Launchpad, Ubuntu, Debian
Upstream
Released (2.4.41-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code not present)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code not present)
Patches:
Upstream: https://github.com/apache/httpd/commit/6e2cd6b5efdc9d02b0eb7834ffddee7ed06ba6a6
This vulnerability is mitigated in part by the use of gcc's stack protector in Ubuntu.