CVE-2019-0217: Race Condition
First published: Mon Apr 01 2019(Updated: )
A race condition was found in mod_auth_digest when the web server was running in a threaded MPM configuration. It could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jbcs-httpd24-apr | <0:1.6.3-63.jbcs.el6 | 0:1.6.3-63.jbcs.el6 |
| redhat/jbcs-httpd24-apr-util | <0:1.6.1-48.jbcs.el6 | 0:1.6.1-48.jbcs.el6 |
| redhat/jbcs-httpd24-brotli | <0:1.0.6-7.jbcs.el6 | 0:1.0.6-7.jbcs.el6 |
| redhat/jbcs-httpd24-curl | <0:7.64.1-14.jbcs.el6 | 0:7.64.1-14.jbcs.el6 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-33.jbcs.el6 | 0:2.4.37-33.jbcs.el6 |
| redhat/jbcs-httpd24-jansson | <0:2.11-20.jbcs.el6 | 0:2.11-20.jbcs.el6 |
| redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-4.jbcs.el6 | 0:1.39.2-4.jbcs.el6 |
| redhat/jbcs-httpd24-openssl | <1:1.1.1-25.jbcs.el6 | 1:1.1.1-25.jbcs.el6 |
| redhat/jbcs-httpd24-apr | <0:1.6.3-63.jbcs.el7 | 0:1.6.3-63.jbcs.el7 |
| redhat/jbcs-httpd24-apr-util | <0:1.6.1-48.jbcs.el7 | 0:1.6.1-48.jbcs.el7 |
| redhat/jbcs-httpd24-brotli | <0:1.0.6-7.jbcs.el7 | 0:1.0.6-7.jbcs.el7 |
| redhat/jbcs-httpd24-curl | <0:7.64.1-14.jbcs.el7 | 0:7.64.1-14.jbcs.el7 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-33.jbcs.el7 | 0:2.4.37-33.jbcs.el7 |
| redhat/jbcs-httpd24-jansson | <0:2.11-20.jbcs.el7 | 0:2.11-20.jbcs.el7 |
| redhat/jbcs-httpd24-nghttp2 | <0:1.39.2-4.jbcs.el7 | 0:1.39.2-4.jbcs.el7 |
| redhat/jbcs-httpd24-openssl | <1:1.1.1-25.jbcs.el7 | 1:1.1.1-25.jbcs.el7 |
| redhat/httpd | <0:2.4.6-90.el7 | 0:2.4.6-90.el7 |
| redhat/httpd24 | <0:1.1-19.el6 | 0:1.1-19.el6 |
| redhat/httpd24-httpd | <0:2.4.34-15.el6 | 0:2.4.34-15.el6 |
| redhat/httpd24-nghttp2 | <0:1.7.1-8.el6 | 0:1.7.1-8.el6 |
| redhat/httpd24 | <0:1.1-19.el7 | 0:1.1-19.el7 |
| redhat/httpd24-httpd | <0:2.4.34-15.el7 | 0:2.4.34-15.el7 |
| redhat/httpd24-nghttp2 | <0:1.7.1-8.el7 | 0:1.7.1-8.el7 |
| redhat/httpd | <2.4.39 | 2.4.39 |
| debian/apache2 | 2.4.62-1~deb11u1 2.4.62-1~deb11u2 2.4.62-1~deb12u2 2.4.63-1 | |
| Apache HTTP Server | >=2.4.0<=2.4.38 | |
| Debian | =8.0 | |
| Debian | =9.0 | |
| Fedora | =28 | |
| Fedora | =29 | |
| Fedora | =30 | |
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =18.10 | |
| Red Hat Enterprise Linux | ||
| Red Hat Enterprise Linux Desktop | =7.0 | |
| Red Hat Enterprise Linux Server | =7.0 | |
| Red Hat Enterprise Linux Workstation | =7.0 | |
| SUSE Linux | =15.0 | |
| SUSE Linux | =42.3 | |
| NetApp OnCommand Unified Manager for 7-Mode | ||
| IBM Data ONTAP | ||
| Oracle Enterprise Manager Ops Center | =12.3.3 | |
| Oracle Enterprise Manager Ops Center | =12.4.0 | |
| Oracle HTTP Server | =12.2.1.3.0 | |
| Oracle Retail Xstore Office Cloud Service | =7.0 | |
| Oracle Retail Xstore Office Cloud Service | =7.1 |
Remedy
This flaw only affects a threaded server configuration, so using the prefork MPM is an effective mitigation. In versions of httpd package shipped with Red Hat Enterprise Linux 7, the prefork MPM is the default configuration.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-0217 https://nvd.nist.gov/vuln/detail/CVE-2019-0217 http://www.apache.org/dist/httpd/CHANGES_2.4 https://httpd.apache.org/security/vulnerabilities_24.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1695020
- https://access.redhat.com/errata/RHSA-2019:3932
- https://access.redhat.com/errata/RHSA-2019:3933
- https://access.redhat.com/errata/RHSA-2019:2343
- https://access.redhat.com/errata/RHSA-2019:3436
- https://access.redhat.com/errata/RHSA-2019:3935
- https://access.redhat.com/errata/RHSA-2019:4126
- https://access.redhat.com/security/cve/cve-2019-0217
- http://www.securityfocus.com/bid/107668
- https://seclists.org/bugtraq/2019/Apr/5
- https://security.netapp.com/advisory/ntap-20190423-0001/
- https://www.debian.org/security/2019/dsa-4422
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WETXNQWNQLWHV6XNW6YTO5UGDTIWAQGT/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZRMTEIGZKYFNGIDOTXN3GNEJTLVCYU7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ALIR5S3O7NRHEGFMIDMUSYQIZOE4TJJN/
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.debian.org/debian-lts-announce/2019/04/msg00008.html
- https://lists.apache.org/thread.html/e0b8f6e858b1c8ec2ce8e291a2c543d438915037c7af661ab6d33808@%3Cdev.httpd.apache.org%3E
- http://www.openwall.com/lists/oss-security/2019/04/02/5
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00061.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.html
- https://usn.ubuntu.com/3937-1/
- https://usn.ubuntu.com/3937-2/
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03950en_us
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538@%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E
- https://launchpad.net/bugs/cve/CVE-2019-0217
- http://www.apache.org/dist/httpd/CHANGES_2.4
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1695046
- http://svn.apache.org/viewvc?view=revision&revision=1855298
- https://access.redhat.com/support/policy/updates/errata/
- https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/e0b8f6e858b1c8ec2ce8e291a2c543d438915037c7af661ab6d33808%40%3Cdev.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9%40%3Ccvs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ALIR5S3O7NRHEGFMIDMUSYQIZOE4TJJN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZRMTEIGZKYFNGIDOTXN3GNEJTLVCYU7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WETXNQWNQLWHV6XNW6YTO5UGDTIWAQGT/
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03950en_us
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-0217
- https://svn.apache.org/r1855298
- https://security-tracker.debian.org/tracker/CVE-2019-0217
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0217
- https://nvd.nist.gov/vuln/detail/CVE-2019-0217
- https://ubuntu.com/security/CVE-2019-0217
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2019-0217?
CVE-2019-0217 is classified as a high severity vulnerability due to its potential to bypass authentication controls.
How do I fix CVE-2019-0217?
To mitigate CVE-2019-0217, upgrade Apache HTTP Server to version 2.4.39 or later.
Who is affected by CVE-2019-0217?
CVE-2019-0217 affects Apache HTTP Server versions 2.4.38 and earlier when run in a threaded MPM configuration.
What kind of vulnerability is CVE-2019-0217?
CVE-2019-0217 is a race condition vulnerability in mod_auth_digest, enabling authentication bypass.
What products are related to CVE-2019-0217?
Apache HTTP Server, Red Hat products including jbcs-httpd24-apr and various utilities are related to CVE-2019-0217.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-0217
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/references
- agent/description
- agent/last-modified-date
- agent/trending
- agent/source
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/redhat
- package-manager/debian
- vendor/apache
- canonical/apache http server
- version/apache http server/2.4.0
- version/apache http server/2.4.38
- vendor/debian
- canonical/debian
- version/debian/8.0
- version/debian/9.0
- vendor/fedoraproject
- canonical/fedora
- version/fedora/28
- version/fedora/29
- version/fedora/30
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/14.04
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/18.10
- vendor/redhat
- canonical/red hat enterprise linux
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/7.0
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/7.0
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/7.0
- vendor/opensuse
- canonical/suse linux
- version/suse linux/15.0
- version/suse linux/42.3
- vendor/netapp
- canonical/netapp oncommand unified manager for 7-mode
- canonical/ibm data ontap
- vendor/oracle
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.3.3
- version/oracle enterprise manager ops center/12.4.0
- canonical/oracle http server
- version/oracle http server/12.2.1.3.0
- canonical/oracle retail xstore office cloud service
- version/oracle retail xstore office cloud service/7.0
- version/oracle retail xstore office cloud service/7.1