Debian DSA-4422-1 : apache2 - security update

high Nessus Plugin ID 123691
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been found in the Apache HTTP server.

- CVE-2018-17189 Gal Goldshtein of F5 Networks discovered a denial of service vulnerability in mod_http2. By sending malformed requests, the http/2 stream for that request unnecessarily occupied a server thread cleaning up incoming data, resulting in denial of service.

- CVE-2018-17199 Diego Angulo from ImExHS discovered that mod_session_cookie does not respect expiry time.

- CVE-2019-0196 Craig Young discovered that the http/2 request handling in mod_http2 could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly.

- CVE-2019-0211 Charles Fol discovered a privilege escalation from the less-privileged child process to the parent process running as root.

- CVE-2019-0217 A race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. The issue was discovered by Simon Kappel.

- CVE-2019-0220 Bernhard Lorenz of Alpha Strike Labs GmbH reported that URL normalizations were inconsistently handled. When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them.

Solution

Upgrade the apache2 packages.

For the stable distribution (stretch), these problems have been fixed in version 2.4.25-3+deb9u7.

This update also contains bug fixes that were scheduled for inclusion in the next stable point release. This includes a fix for a regression caused by a security fix in version 2.4.25-3+deb9u6.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920302

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920303

https://security-tracker.debian.org/tracker/CVE-2018-17189

https://security-tracker.debian.org/tracker/CVE-2018-17199

https://security-tracker.debian.org/tracker/CVE-2019-0196

https://security-tracker.debian.org/tracker/CVE-2019-0211

https://security-tracker.debian.org/tracker/CVE-2019-0217

https://security-tracker.debian.org/tracker/CVE-2019-0220

https://security-tracker.debian.org/tracker/source-package/apache2

https://packages.debian.org/source/stretch/apache2

https://www.debian.org/security/2019/dsa-4422

Plugin Details

Severity: High

ID: 123691

File Name: debian_DSA-4422.nasl

Version: 1.4

Type: local

Agent: unix

Published: 4/4/2019

Updated: 4/12/2019

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.6

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:POC/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:apache2, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/3/2019

Vulnerability Publication Date: 1/30/2019

Reference Information

CVE: CVE-2018-17189, CVE-2018-17199, CVE-2019-0196, CVE-2019-0211, CVE-2019-0217, CVE-2019-0220

DSA: 4422