The flaws uncovered by Felix Wilhelm of Google Project Zero are now addressed by the Apache Foundation in the latest version of the software, 2.4.46. Apache urged users to install the latest version of its server application to prevent third parties from taking unauthorized control. The flaws are tracked as CVE-2020-9490, CVE-2020-11984, and CVE-2020-11993.
mod_uwsgi and mod_http2 modules
One of the flaws allows a possible remote code execution vulnerability due to a buffer overflow with the “mod_uwsgi” module. It can allow an adversary to view, change, or delete sensitive data. Another flaw is triggered if debugging is enabled in the “mod_http2” module. The flaw causes logging statements to make wrong connections and corrupts memory due to log pool usage. The most severe flaw also resides in the HTTP/2 module. It also causes memory corruption leading to crash or denial of service.