CVE-2020-11984: About Apache HTTP server 2.4.32 to 2.4.44 mod_proxy_uwsgi (2nd Sep 2020)

Preface: uWSGI is a very active project with a fast release cycle. For this reason the code and the documentation maynot always be in sync.

Background: Currently there are three uwsgi-protocol related apache2 modules available. They are mod_uwsgi,mod_proxy_uwsgi and mod_Ruwsgi. uWSGI is often used for serving Python web applications in conjunction with web servers such as Cherokee and Nginx, which offer direct support for uWSGI’s native uwsgi protocol.

Vulnerability details: By sending a small amount of headers (length close to the LimitRequestFieldSize default value of 8190) through uWSGI open port.RCE against a standard UWSGI config is possible if an attacker can put a controlled name or value into “subprocess_env” that is longer than 0xFFFF bytes.
Remark: If UWSGI is explicitly configured in persistent mode (puwsgi), this can also be used to smuggle a second UWSGI request leading to remote code execution.(In its standard configuration UWSGI only supports a single request per connection, making request smuggling impossible).

Official announcement: https://nvd.nist.gov/vuln/detail/CVE-2020-11984

Remedy: CVE-2020-11984: Fixed an information disclosure bug in mod_proxy_uwsgi (bsc#1175074) – https://lists.opensuse.org/opensuse-security-announce/2020-08/msg00068.html

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.