JARVIS
Der beliebte Apache Webserver, weißt aktuell 6 Sicherheitslücken auf. Die Schwere geht von Low bis Important. Leider so wichtig, dass ein Angreifer, grade bei Shared Hosting mit Einsatz von MPM event, Worker oder Prefork, root Rechte erlangen kann.
Apache Security Release Notes
important: Apache HTTP Server privilege escalation from modules’ scripts (CVE-2019-0211)
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.
Acknowledgements: The issue was discovered by Charles Fol.
| Reported to security team | 22nd February 2019 |
| Issue public | 1st April 2019 |
| Affects | 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17 |
important: mod_auth_digest access control bypass (CVE-2019-0217)
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
Acknowledgements: The issue was discovered by Simon Kappel.
| Reported to security team | 29th January 2019 |
| Issue public | 1st April 2019 |
| Affects | 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0 |
important: mod_ssl access control bypass (CVE-2019-0215)
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions.
Acknowledgements: The issue was discovered by Michael Kaufmann.
| Reported to security team | 23rd January 2019 |
| Issue public | 1st April 2019 |
| Affects | 2.4.38, 2.4.37 |
low: mod_http2, possible crash on late upgrade (CVE-2019-0197)
When HTTP/2 was enabled for a http: host or H2Upgrade was enabled for h2 on a https: host, an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. A server that never enabled the h2 protocol or that only enabled it for https: and did not configure the “H2Upgrade on” is unaffected by this.
Acknowledgements: The issue was discovered by Stefan Eissing, greenbytes.de.
| Reported to security team | 29th January 2019 |
| Issue public | 1st April 2019 |
| Affects | 2.4.38, 2.4.37, 2.4.35, 2.4.34 |
low: mod_http2, read-after-free on a string compare (CVE-2019-0196)
Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the request incorrectly.
Acknowledgements: The issue was discovered by Craig Young, <vuln-report@secur3.us>.
| Reported to security team | 29th January 2019 |
| Issue public | 1st April 2019 |
| Affects | 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18 |
low: Apache httpd URL normalization inconsistincy (CVE-2019-0220)
When the path component of a request URL contains multiple consecutive slashes (‘/’), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.
Acknowledgements: The issue was discovered by Bernhard Lorenz <bernhard.lorenz@alphastrike.io> of Alpha Strike Labs GmbH.
| Reported to security team | 20th January 2019 |
| Issue public | 1st April 2019 |
| Affects | 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0 |
Quelle: https://httpd.apache.org/security/vulnerabilities_24.html
Interessiert in verschiedenste IT Themen, schreibe ich in diesem Blog über Software, Hardware, Smart Home, Games und vieles mehr. Ich berichte z.B. über die Installation und Konfiguration von Software als auch von Problemen mit dieser. News sind ebenso spannend, sodass ich auch über Updates, Releases und Neuigkeiten aus der IT berichte. Letztendlich nutze ich Taste-of-IT als eigene Dokumentation und Anlaufstelle bei wiederkehrenden Themen. Ich hoffe ich kann dich ebenso informieren und bei Problemen eine schnelle Lösung anbieten. Wer meinen Aufwand unterstützen möchte, kann gerne eine Tasse oder Pod Kaffe per PayPal spenden – vielen Dank.