www.belgium.be Logo of the federal government

Multiple vulnerabilities in Apache Httpd

Reference: 
Advisory #2019-008
Version: 
1.0
Affected software: 
Apache 2.4 versions prior to 2.4.39
Type: 
Arbitrary code execution, user access control bypass
CVE/CVSS: 

CVE : CVE-2019-0211, CVE-2019-0215, CVE-2019-0217
CVE-Score: 8.2

Sources

https://httpd.apache.org/security/vulnerabilities_24.html

Risks

Users with limited permissions on the server might be able to elevate their privileges using scripts, making it possible to run commands on vulnerable Apache web servers as root.

Description

On Apache HTTP Server 2.4, from version 2.4.17 to 2.4.38, code running secondary processes with lesser privileges could execute arbitrary code with root privileges using manipulation of the scoreboard functionality of its mod_status module.
Non-Unix systems are not affected by this vulnerability.

Two other vulnerabilities, CVE-2019-0215 and CVE-2019-0217, could let a malicious actor bypass configured access control restrictions. All OS are impacted.

Recommended Actions

CERT.be recommends administrators to update their Apache version to the latest available version.

References

https://www.bleepingcomputer.com/news/security/apache-bug-lets-normal-users-gain-root-access-via-scripts

https://httpd.apache.org/security/vulnerabilities_24.html