How the Vulnerability Works
The Apache Software Foundation has released an urgent security update for the HTTP Server, fixing a critical flaw in the handling of HTTP/2 connections. This bug, affecting version 2.4.66, stems from a memory management error in the module responsible for HTTP/2 streams. When a client sends a specific sequence of frames including a HEADERS frame followed by a reset stream command, the server incorrectly cleans up the same memory block twice. This double free error can cause the server process to crash, leading to a denial of service, or under certain conditions be exploited to run arbitrary code on the server.
The issue is particularly dangerous because it can be triggered with minimal effort. An attacker needs only a single TCP connection and two frames, with no authentication or special headers required. The crash is immediate in any default Apache installation that has the HTTP/2 module enabled and uses a multi-threaded processing model.
Impact and Scope
While the denial of service attack works universally on affected configurations, the remote code execution scenario depends on the memory allocator used by the Apache Portable Runtime library. Systems using the mmap allocator, which is the default on Debian based Linux distributions and the official Apache Docker image, are at risk of full server compromise. For other configurations the crash itself still disrupts service, as Apache will respawn a new worker process, but each request triggers another crash.
The vulnerability was discovered by security researchers from Striga.ai and ISEC.pl, and has been patched in Apache HTTP Server version 2.4.67. System administrators running any version prior to this release should update immediately to prevent exploitation.
Source: The Hacker News
