CVE-2020-11993: 
Apache HTTP Server vulnerability analysis and mitigation

CVE-2020-11993 affects Apache HTTP Server versions 2.4.20 to 2.4.43. When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools (Apache Advisory, NVD).

The vulnerability occurs when trace/debug logging is enabled for the HTTP/2 module. Under specific traffic edge patterns, the server makes logging statements on incorrect connections, leading to concurrent memory pool usage. The issue has a CVSS v3.1 base score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

A successful exploitation of this vulnerability could result in a denial of service condition due to concurrent memory pool usage. The vulnerability affects the availability of the server but does not impact confidentiality or integrity (NVD).

A temporary mitigation is available by configuring the LogLevel of mod_http2 above "info" for unpatched servers. For a permanent fix, users should upgrade to Apache HTTP Server version 2.4.44 or later. Multiple Linux distributions have released patches for this vulnerability (Ubuntu Notice, Debian Advisory).

The vulnerability was widely acknowledged by major Linux distributions and security vendors. NetApp issued an advisory analyzing the potential impact on their products (NetApp Advisory). Multiple organizations including Ubuntu, Debian, and Red Hat released security updates to address this vulnerability.