First published: Mon Apr 01 2019(Updated: )
A race condition was found in mod_auth_digest when the web server was running in a threaded MPM configuration. It could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jbcs-httpd24-apr | <0:1.6.3-63.jbcs.el6 | 0:1.6.3-63.jbcs.el6 |
redhat/jbcs-httpd24-apr-util | <0:1.6.1-48.jbcs.el6 | 0:1.6.1-48.jbcs.el6 |
redhat/jbcs-httpd24-brotli | <0:1.0.6-7.jbcs.el6 | 0:1.0.6-7.jbcs.el6 |
redhat/jbcs-httpd24-curl | <0:7.64.1-14.jbcs.el6 | 0:7.64.1-14.jbcs.el6 |
redhat/jbcs-httpd24-httpd | <0:2.4.37-33.jbcs.el6 | 0:2.4.37-33.jbcs.el6 |
redhat/jbcs-httpd24-jansson | <0:2.11-20.jbcs.el6 | 0:2.11-20.jbcs.el6 |
redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-4.jbcs.el6 | 0:1.39.2-4.jbcs.el6 |
redhat/jbcs-httpd24-openssl | <1:1.1.1-25.jbcs.el6 | 1:1.1.1-25.jbcs.el6 |
redhat/jbcs-httpd24-apr | <0:1.6.3-63.jbcs.el7 | 0:1.6.3-63.jbcs.el7 |
redhat/jbcs-httpd24-apr-util | <0:1.6.1-48.jbcs.el7 | 0:1.6.1-48.jbcs.el7 |
redhat/jbcs-httpd24-brotli | <0:1.0.6-7.jbcs.el7 | 0:1.0.6-7.jbcs.el7 |
redhat/jbcs-httpd24-curl | <0:7.64.1-14.jbcs.el7 | 0:7.64.1-14.jbcs.el7 |
redhat/jbcs-httpd24-httpd | <0:2.4.37-33.jbcs.el7 | 0:2.4.37-33.jbcs.el7 |
redhat/jbcs-httpd24-jansson | <0:2.11-20.jbcs.el7 | 0:2.11-20.jbcs.el7 |
redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-4.jbcs.el7 | 0:1.39.2-4.jbcs.el7 |
redhat/jbcs-httpd24-openssl | <1:1.1.1-25.jbcs.el7 | 1:1.1.1-25.jbcs.el7 |
redhat/httpd | <0:2.4.6-90.el7 | 0:2.4.6-90.el7 |
redhat/httpd24 | <0:1.1-19.el6 | 0:1.1-19.el6 |
redhat/httpd24-httpd | <0:2.4.34-15.el6 | 0:2.4.34-15.el6 |
redhat/httpd24-nghttp2 | <0:1.7.1-8.el6 | 0:1.7.1-8.el6 |
redhat/httpd24 | <0:1.1-19.el7 | 0:1.1-19.el7 |
redhat/httpd24-httpd | <0:2.4.34-15.el7 | 0:2.4.34-15.el7 |
redhat/httpd24-nghttp2 | <0:1.7.1-8.el7 | 0:1.7.1-8.el7 |
redhat/httpd | <2.4.39 | 2.4.39 |
Apache HTTP server | >=2.4.0<=2.4.38 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
Fedoraproject Fedora | =28 | |
Fedoraproject Fedora | =29 | |
Fedoraproject Fedora | =30 | |
Canonical Ubuntu Linux | =12.04 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =18.10 | |
Redhat Enterprise Linux | ||
Redhat Enterprise Linux Desktop | =7.0 | |
Redhat Enterprise Linux Server | =7.0 | |
Redhat Enterprise Linux Workstation | =7.0 | |
openSUSE Leap | =15.0 | |
openSUSE Leap | =42.3 | |
Netapp Oncommand Unified Manager 7-mode | ||
NetApp Clustered Data ONTAP | ||
Oracle Enterprise Manager Ops Center | =12.3.3 | |
Oracle Enterprise Manager Ops Center | =12.4.0 | |
Oracle HTTP Server | =12.2.1.3.0 | |
Oracle Retail Xstore Point of Service | =7.0 | |
Oracle Retail Xstore Point of Service | =7.1 | |
debian/apache2 | 2.4.62-1~deb11u1 2.4.62-1~deb11u2 2.4.62-1~deb12u2 2.4.62-3 |
This flaw only affects a threaded server configuration, so using the prefork MPM is an effective mitigation. In versions of httpd package shipped with Red Hat Enterprise Linux 7, the prefork MPM is the default configuration.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)