Apache Webserver 6x Security Update

Der beliebte Apache Webserver, weißt aktuell 6 Sicherheitslücken auf. Die Schwere geht von Low bis Important. Leider so wichtig, dass ein Angreifer, grade bei Shared Hosting mit Einsatz von MPM event, Worker oder Prefork, root Rechte erlangen kann.

Apache Security Release Notes

important: Apache HTTP Server privilege escalation from modules’ scripts (CVE-2019-0211)

In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

Acknowledgements: The issue was discovered by Charles Fol.

Reported to security team22nd February 2019
Issue public1st April 2019
Affects2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17

important: mod_auth_digest access control bypass (CVE-2019-0217)

In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.

Acknowledgements: The issue was discovered by Simon Kappel.

Reported to security team29th January 2019
Issue public1st April 2019
Affects2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0

important: mod_ssl access control bypass (CVE-2019-0215)

In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions.

Acknowledgements: The issue was discovered by Michael Kaufmann.

Reported to security team23rd January 2019
Issue public1st April 2019
Affects2.4.38, 2.4.37

low: mod_http2, possible crash on late upgrade (CVE-2019-0197)

When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. A server that never enabled the h2 protocol or that only enabled it for https: and did not configure the “H2Upgrade on” is unaffected by this.

Acknowledgements: The issue was discovered by Stefan Eissing, greenbytes.de.

Reported to security team29th January 2019
Issue public1st April 2019
Affects2.4.38, 2.4.37, 2.4.35, 2.4.34

low: mod_http2, read-after-free on a string compare (CVE-2019-0196)

Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the request incorrectly.

Acknowledgements: The issue was discovered by Craig Young, <vuln-report@secur3.us>.

Reported to security team29th January 2019
Issue public1st April 2019
Affects2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18

low: Apache httpd URL normalization inconsistincy (CVE-2019-0220)

When the path component of a request URL contains multiple consecutive slashes (‘/’), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.

Acknowledgements: The issue was discovered by Bernhard Lorenz <bernhard.lorenz@alphastrike.io> of Alpha Strike Labs GmbH.

Reported to security team20th January 2019
Issue public1st April 2019
Affects2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0

Quelle: https://httpd.apache.org/security/vulnerabilities_24.html

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.