oss-sec mailing list archives

CVE-2019-0215: mod_ssl access control bypass

From: Daniel Ruggeri <druggeri () apache org>
Date: Mon, 01 Apr 2019 20:31:27 -0500


CVE-2019-0215: mod_ssl access control bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.27 to 2.4.38

Description:
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a
bug in mod_ssl when using per-location client certificate
verification with TLSv1.3 allowed a client to bypass
configured access control restrictions.
               
Mitigation:
This issue can be mitigated by disabling the TLSv1.3 protocol for a
VirtualHost which requires per-location or per-directory client
certificate authentication.

Credit:
The issue was discovered by Michael Kaufmann.

References:
https://httpd.apache.org/security/vulnerabilities_24.html

Current thread:

CVE-2019-0215: mod_ssl access control bypass Daniel Ruggeri (Apr 02)