USN-4113-1: Apache HTTP Server vulnerabilities
First published: Thu Aug 29 2019(Updated: )
Stefan Eissing discovered that the HTTP/2 implementation in Apache did not properly handle upgrade requests from HTTP/1.1 to HTTP/2 in some situations. A remote attacker could use this to cause a denial of service (daemon crash). This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04. (CVE-2019-0197) Craig Young discovered that a memory overwrite error existed in Apache when performing HTTP/2 very early pushes in some situations. A remote attacker could use this to cause a denial of service (daemon crash). This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04. (CVE-2019-10081) Craig Young discovered that a read-after-free error existed in the HTTP/2 implementation in Apache during connection shutdown. A remote attacker could use this to possibly cause a denial of service (daemon crash) or possibly expose sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04. (CVE-2019-10082) Matei Badanoiu discovered that the mod_proxy component of Apache did not properly filter URLs when reporting errors in some configurations. A remote attacker could possibly use this issue to conduct cross-site scripting (XSS) attacks. (CVE-2019-10092) Daniel McCarney discovered that mod_remoteip component of Apache contained a stack buffer overflow when parsing headers from a trusted intermediary proxy in some situations. A remote attacker controlling a trusted proxy could use this to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 19.04. (CVE-2019-10097) Yukitsugu Sasaki discovered that the mod_rewrite component in Apache was vulnerable to open redirects in some situations. A remote attacker could use this to possibly expose sensitive information or bypass intended restrictions. (CVE-2019-10098) Jonathan Looney discovered that the HTTP/2 implementation in Apache did not properly limit the amount of buffering for client connections in some situations. A remote attacker could use this to cause a denial of service (unresponsive daemon). This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.04. (CVE-2019-9517)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| ubuntu/apache2 | <2.4.38-2ubuntu2.2 | 2.4.38-2ubuntu2.2 |
| Ubuntu OpenSSH Client | =19.04 | |
| All of | ||
| ubuntu/apache2-bin | <2.4.38-2ubuntu2.2 | 2.4.38-2ubuntu2.2 |
| Ubuntu OpenSSH Client | =19.04 | |
| All of | ||
| ubuntu/apache2 | <2.4.29-1ubuntu4.10 | 2.4.29-1ubuntu4.10 |
| Ubuntu OpenSSH Client | =18.04 | |
| All of | ||
| ubuntu/apache2-bin | <2.4.29-1ubuntu4.10 | 2.4.29-1ubuntu4.10 |
| Ubuntu OpenSSH Client | =18.04 | |
| All of | ||
| ubuntu/apache2 | <2.4.18-2ubuntu3.12 | 2.4.18-2ubuntu3.12 |
| Ubuntu OpenSSH Client | =16.04 | |
| All of | ||
| ubuntu/apache2-bin | <2.4.18-2ubuntu3.12 | 2.4.18-2ubuntu3.12 |
| Ubuntu OpenSSH Client | =16.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://ubuntu.com/security/CVE-2019-0197
- https://ubuntu.com/security/CVE-2019-10081
- https://ubuntu.com/security/CVE-2019-10082
- https://ubuntu.com/security/CVE-2019-10092
- https://ubuntu.com/security/CVE-2019-10097
- https://ubuntu.com/security/CVE-2019-10098
- https://ubuntu.com/security/CVE-2019-9517
- https://launchpad.net/ubuntu/+source/apache2/2.4.38-2ubuntu2.2
- https://launchpad.net/ubuntu/+source/apache2/2.4.29-1ubuntu4.10
- https://launchpad.net/ubuntu/+source/apache2/2.4.18-2ubuntu3.12
- https://ubuntu.com/security/notices/USN-4113-1 (Advisory)
Child vulnerabilities
(Contains the following vulnerabilities)
Frequently Asked Questions
What is the vulnerability ID?
CVE-2019-0197
What is the severity of CVE-2019-0197?
The severity of CVE-2019-0197 is not mentioned in the provided information.
How does CVE-2019-0197 impact Apache HTTP Server?
CVE-2019-0197 can cause a denial of service (daemon crash) in the Apache HTTP Server.
Which versions of Apache HTTP Server are affected by CVE-2019-0197?
Apache HTTP Server versions 2.4.38-2ubuntu2.2, 2.4.29-1ubuntu4.10, and 2.4.18-2ubuntu3.12 are affected by CVE-2019-0197.
How can I fix the vulnerability CVE-2019-0197?
To fix CVE-2019-0197, update Apache HTTP Server to version 2.4.38-2ubuntu2.2, 2.4.29-1ubuntu4.10, or 2.4.18-2ubuntu3.12.
- agent/type
- agent/severity
- agent/weakness
- agent/first-publish-date
- agent/last-modified-date
- agent/event
- agent/description
- agent/title
- agent/references
- agent/trending
- agent/source
- agent/tags
- collector/usn
- source/Ubuntu
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- package-manager/ubuntu
- vendor/ubuntu
- canonical/ubuntu openssh client
- version/ubuntu openssh client/19.04
- version/ubuntu openssh client/18.04
- version/ubuntu openssh client/16.04