Advisory Published

USN-3937-1: Apache HTTP Server vulnerabilities

First published: Thu Apr 04 2019(Updated: )

Charles Fol discovered that the Apache HTTP Server incorrectly handled the scoreboard shared memory area. A remote attacker able to upload and run scripts could possibly use this issue to execute arbitrary code with root privileges. (CVE-2019-0211) It was discovered that the Apache HTTP Server HTTP/2 module incorrectly handled certain requests. A remote attacker could possibly use this issue to cause the server to consume resources, leading to a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-17189) It was discovered that the Apache HTTP Server incorrectly handled session expiry times. When used with mod_session_cookie, this may result in the session expiry time to be ignored, contrary to expectations. (CVE-2018-17199) Craig Young discovered that the Apache HTTP Server HTTP/2 module incorrectly handled certain requests. A remote attacker could possibly use this issue to cause the server to process requests incorrectly. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2019-0196) Simon Kappel discovered that the Apache HTTP Server mod_auth_digest module incorrectly handled threads. A remote attacker with valid credentials could possibly use this issue to authenticate using another username, bypassing access control restrictions. (CVE-2019-0217) Bernhard Lorenz discovered that the Apache HTTP Server was inconsistent when processing requests containing multiple consecutive slashes. This could lead to directives such as LocationMatch and RewriteRule to perform contrary to expectations. (CVE-2019-0220)

Affected SoftwareAffected VersionHow to fix
All of
ubuntu/apache2-bin<2.4.34-1ubuntu2.1
2.4.34-1ubuntu2.1
Ubuntu Ubuntu=18.10
All of
ubuntu/apache2-bin<2.4.29-1ubuntu4.6
2.4.29-1ubuntu4.6
Ubuntu Ubuntu=18.04
All of
ubuntu/apache2-bin<2.4.18-2ubuntu3.10
2.4.18-2ubuntu3.10
Ubuntu Ubuntu=16.04
All of
ubuntu/apache2-bin<2.4.7-1ubuntu4.22
2.4.7-1ubuntu4.22
Ubuntu Ubuntu=14.04

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Child vulnerabilities

(Contains the following vulnerabilities)

Frequently Asked Questions

  • What is the vulnerability ID for this advisory?

    CVE-2019-0211

  • What is the root cause of the vulnerability?

    The Apache HTTP Server incorrectly handles the scoreboard shared memory area.

  • What is the impact of the vulnerability?

    A remote attacker able to upload and run scripts could execute arbitrary code with root privileges.

  • How can I fix this vulnerability on Ubuntu 18.10 with Apache version 2.4.34-1ubuntu2.1?

    Upgrade the apache2-bin package to version 2.4.34-1ubuntu2.1 or later.

  • Where can I find more information about this vulnerability?

    For more information, refer to the Ubuntu security advisory at https://ubuntu.com/security/CVE-2019-0211.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203