Apache HTTP Server < 2.4.39 Multiple Vulnerabilities

high Nessus Network Monitor Plugin ID 700509
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote web server is missing an Apache HTTP Server patch update.

Description

Versions of Apache HTTP server prior to 2.4.39 are unpatched, and therefore affected by multiple vulnerabilities :

 - Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparision when determining the method of a request and thus process the request incorrectly. (CVE-2019-0196)
 - When HTTP/2 was enabled for a 'http: host' or H2Upgrade was enabled for h2 on a 'https: host', an Upgrade request from http/1.1 to http/2 that was not the first request on a connection could lead to a misconfiguration and crash. A server that never enabled the h2 protocol or that only enabled it for HTTPS and did not configure the "H2Upgrade on" is unaffected by this. (CVE-2019-0197)
 - With MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process by manipulating the scoreboard. (CVE-2019-0211)
 - A bug in 'mod_ssl' when using per-location client certificate verification with TLSv1.3 allows a client supporting Post-Handshake Authentication to bypass configured access control restrictions. (CVE-2019-0215)
 - A race condition in 'mod_auth_digest' when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions. (CVE-2019-0217)
 - When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as 'LocationMatch' and 'RewriteRule' must account for duplicates in regular expressions while other aspects of the servers processing will implicitly collapse them. (CVE-2019-0220)

Solution

Upgrade to Apache HTTP Server 2.4.39 or later.

See Also

https://cfreal.github.io/carpe-diem-cve-2019-0211-apache-local-root.html

Plugin Details

Severity: High

ID: 700509

Family: Web Servers

Published: 4/8/2019

Updated: 4/8/2019

Dependencies: 8947

Nessus ID: 123642

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 5.4

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:a:apache:http_server:*:*:*:*:*:*:*:*

Patch Publication Date: 4/1/2019

Vulnerability Publication Date: 4/1/2019

Reference Information

CVE: CVE-2019-0217, CVE-2019-0220, CVE-2019-0196, CVE-2019-0197, CVE-2019-0211, CVE-2019-0215

BID: 107670, 107669, 107666, 107667, 107668

IAVA: 2019-A-0098