oss-sec mailing list archives

CVE-2019-0211: Apache HTTP Server privilege escalation from modules' scripts

From: Daniel Ruggeri <druggeri () apache org>
Date: Mon, 01 Apr 2019 20:31:24 -0500


CVE-2019-0211: Apache HTTP Server privilege escalation from modules' scripts

Severity: important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.17 to 2.4.38

Description:
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event,
worker or prefork, code executing in less-privileged child processes
or threads (including scripts executed by an in-process scripting
interpreter) could execute arbitrary code with the privileges of the
parent process (usually root) by manipulating the scoreboard. Non-Unix
systems are not affected.

Mitigation:
All httpd users running MPM event, worker or prefork should upgrade to
2.4.39 or later.

Credit:
The issue was discovered by Charles Fol.

References:
https://httpd.apache.org/security/vulnerabilities_24.html

Current thread:

CVE-2019-0211: Apache HTTP Server privilege escalation from modules' scripts Daniel Ruggeri (Apr 02)