Skip to Content.
Sympa Menu

cv-announce-l - [cv-announce-l] Apache HTTP Server privilege escalation from modules' scripts (CVE-2019-0211)

Please Wait...

cv-announce-l@list.iu.edu

Subject: cv alerts list

List archive

[cv-announce-l] Apache HTTP Server privilege escalation from modules' scripts (CVE-2019-0211)


Chronological Thread  
  • From: Andrew K Adams <akadams@psc.edu>
  • To: cv-announce@trustedci.org
  • Cc: "Andrew K. Adams" <akadams@psc.edu>
  • Subject: [cv-announce-l] Apache HTTP Server privilege escalation from modules' scripts (CVE-2019-0211)
  • Date: Thu, 4 Apr 2019 11:16:22 -0400
  • Authentication-results: external-relay.indiana.edu; spf=PermError smtp.pra=akadams@psc.edu; spf=SoftFail smtp.mailfrom=akadams@psc.edu; spf=None smtp.helo=postmaster@relay1-d.mail.gandi.net
  • Ironport-phdr: 9a23:3ZexSBRCrLR4OiXp0n2S6nBgyNpsv+yvbD5Q0YIujvd0So/mwa6zZRyN2/xhgRfzUJnB7Loc0qyK6vmmATFLsczJ8ChbNsAVD1ld0YRetjdjKfbNMVf8Iv/uYn5yN+V5f3ghwUuGN1NIEt31fVzYry76xzcTHhLiKVg9fbytScbdgMutyu+95YDYbRlWizqhe7NyKwi9oRnMusUMjoZuN7s9xgHVrnZIdOhbxn1kLk+Xkxrg+8u85pFu/zlMt/4768JMTaD2dLkkQLJFCzgrL3o779DxuxnZSguP6HocUmEInRdNHgPI8hL0UIrvvyXjruZy1zWUMsPwTbAvRDSt9LxrRwPyiCcGLDE27mfagdFtga1BoRKhoxt/w5PIYIyQKfFzcL/Rcc8cSGFcRctaSTBPDZ2gYIsOF+oBPPhXr4/hp1sVsBCyARCgCP7zxjNUg3P727Ax3eY8HgHcxAEvENIAvnrXotvoKqkdTfu4w7PUwTjZdf5axSvx5YrOfxs8of+MR7Vwcc/JxEQzEQPKk0+QppLrPjiI0+oGrnSW4Pd6WuKqkG4stgZ8rSKsxsg2l4bGnIcVykvf+CVh24Y6Oce0R1Bmbt65CZZdsTyROYVxQsMnWW5ouSA6x6UauZ6hYSgK04gnyADCZPObcoiE+AjvVOGLITd3nH5qYqq/iAyu/kig1OLwTM600ExFriZdidnMsWgN1xzU6sicUPdy4kCh2TOX2wDP8OFEPFs0lbbFJJE83rEwl4AfsUPZHi/5nkj9kayYdl089+S29ujqYK/qq52AO4Nulw3zMaojltaiDek8PAUCR3aX9fi42bH5/kD0QK9GguMonqXHqpzXKtkXq6ikCAFPyIkj8QywDzK+3dQYg3YHKFVFdQqdj4f3P1HBOvD5Aeqmj1uxijtrwurJPrzlApnXIXjMirHhcqt860JGzgo808xf64pVCrEHPv3zRlf8uMLFAhI7KQC5wfrrBM9g2o4dV2+DGLKVPafcvFOQ4+IgOeiMZIsbuDbnLPgl4ubjgmU6mVAHYKamx54XaGujE/R+OEWWfWDgjckcHmcXpgY+VvDliEWeUT5PYHa/R74z5i8iBI28C4fDQIetgKGH3CinAJJaf2RGB0uIEXfpbIWER+0AaCOPIsN7jDMLSKWhGMcd0kSlqkrzzbxgM+zf9wUEr4/4yNV57OyVkgs9phJuCMHI+meBVWxr1kBAbjM/2bs39UV+w1uK1LNQm+dTU9Ff+qUaAU8BKZfAwrkiWJjJUQXbc4LMEQ7+GI/0KCwtTt83394Falp8HNPntB3Ywi62GOZLyu6GFIA56KTV2z3rKsJ02jDH0qUghl8vBMZDKD7unbZxojDeHYvkiV+eje6xcLgEmjbX/TKKzmOCtURDeBZrWuPIUW1MLlDOo4HC4U3eYbavDfw8NxdZj8uLK69EcNrs2FxFTfvqPc/2e3m63Wq8GEXA3auCOaztfWhVxyDBEA4EngQUqG6BLhQ7Dzy9rnj2FjFqHEO2Jk+q9OB/rDW0R0k4zkeMYlE4jeiP9xUYhOKRR7Yo5pxY6HhzkzhuGXunxdXMQ5qNtxZsZqNVZZYn7VNOxCTYsQB8N5qpaa1umwxWeA1xuUTysnc/Qo5Hi9Inp28u3UJzL76Vyktbei/Qxp32NrDNYmDv4BCibbLX0VDCwZ6X/KkI8vExt1TkukmnDE0nlhcvm9VS1nKd4N3NAkIbUpv9W0Ms3wBhrPfXbjR8r4LY2HtwMLWl5yfY0oFMZqNtwRKhctFDdaKcQVWrTItFX473eLdswgnyPXdmdKhI+aU5Pt2rba6LyLKmJuBpmHe8gGBO8cZ81E6N/ix1DOPEwsVgobnQ0w2ZWjP7lFrkvNrwnNUObDIbEmO60gD8H4UXa6FvN9VDGSK1Lsu7y88rzZfuUnJR8UWLH0gNnsKlZFDBCj61lR0V3kMRr3u9nCK+xDEhiDAloJ2U2ynWyvjjfh4KaSZbAXNvhlD2Lc2onsgXCQK2OhMxmkHjvQyposoT7LQ6NWTYRl1EOjT7P303GLXlraKMOYgXr4syuG1SQKy9eQzIE+St5UJKiWW7WTMZnW5eFXniu42lzUUr0iTEdC819SGIP5k3n0uX5cSCF6QJhmNUGSQo22uQXQLZXZHh/NOfk4rPv7KJTHqvEJJUdibvwMWLsy7z5GthBQCzkqK+wNjuVw43zWft3t1uH3yS/izxaYTqyam2dNlfUBU4Xw3H7MRmNIh/lsNwiYEM1GIcj5HQ53cDmHa1MNNX2Kv4ZTwASSNZi9LS5QHk3gVkIBfrj8rwVXyRy856T8GhaSUb1j917tsCCaGf6L1CkCc9vl3wqwXNKfRwhTYSz/Iy5TZA2r5P51Jrl3XGROlDRiw6dWTljFyQ4sq7rblLaWrnarW22Edk3JigALyEvgBASSP8c5YmEzV365YaUhqE23ny54f4PdjIOIhK6VvLy1GZ37MTccNqxZ9ozWJ9NGnwvGMo0bs2nQBjx5ezuM2dJmFk7eS4BBJZPzv8Ic4f52KI7+4Wk8CI0oSoBpgkFC8MWc6iRPGhHDsXrtz/LA3IHTEh4CTTCf/EEAmT5V0z5XvMGpyiMmq/PGISi9huWVPOQS4XyBBRVzI8kJkjEwmsz8G0a0Z16Aca4VvgowdNwOZlZFHvF33SrwCyZnIoWYCSeVBIuxpa6R6fYqn8pqpjWjtV9Zq7oEmRJ3yHMk5WWHoRVBXMAkCrP6Hyt4Cao67BVrD4d72WJuzQzI4WH/aQmcD2g9Egpm7VcJzUbz86SKdnkktbAyIjQ5yAyWgCG35F0HmXCqzT7Ba68Slqos3tx+/zVkTg4oyAD7YUOtJqsxGwiqOeO+PCiXx8IHBe249E03bMzPJGhgwohipjdiegHfE7jQCWF/KCvKhRAlZbZjNvOdFO5qZ5xARJMN+di9X517d+h7g4B0oXHVrm0tqkY8AHOQTffBvOGVqLObKaJDbK39C/YKWyTqdVhflVsBv4sCiSEkvqNDCO3zfzUBXnPeZJhSCddBtQ3eP1Og5qEnTmRcn6ZweTKtJzhCxvhLFyg3rLMSgTOD5wcgVLo6HRpSJUj/NjGnBQu3poKe7X/kTRp+LcK5sQrb5qGnEuzr0cvyx8kusOqngVH68Q+mOatNNlrlC4n/Paxyp7XQBIozIOno+PtFQkOKPV95BGUDDJ8A9eiAfYQxkMudZhDcXi/q5Kzd2a3qvwITtL9sn85dAXQcXYNYjUVRhpeQqsAzPSAAYfGHSzMnrDgkVGjPyI3meYqpEr893g3p8HS7sdW1UzGvJcDEl5Vo9nQt8/TnYvlriVi9QN7Hy1oUzKRclUiZvAU+qbHfTlLDvA3Ot0IiAQyLa9Frw9c4jy2khscF5/zdbSAEGWUNxQ8HY4Ml0E5X5V+X07dVUdnlr/Y1L/+GQYU/O4g0xo01YsUaEW7D7ppmwPCB/KqS83yhRjg9jhiCHINTK3Ka6xWcdZAiz4tg43P4+pGws=

CI Operators:

Code executing in child processes (such as script interpreters, e.g., PHP, python) could execute arbitrary code as the parent (e.g., root) by manipulating the scoreboard file [1][2].


Impact:

A malicious user could execute arbitrary code with escalated privileges.


Affected Software:

Apache 2.4.17 - 2.4.38


Note, non-Unix systems are unaffected. The httpd package available with base CentOS 7 is also *not* affected, but httpd available via the Red Hat Software Collections is vulnerable. Debian 8 and later are affected. Ubuntu 16.x and later are affected. SUSE 12 is affected.


Recommendation:

Upgrade to the latest version of Apache 2.4.x available for your distribution.


References:

[1] https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-0211

[2] https://nakedsecurity.sophos.com/2019/04/04/apache-needs-a-patchy-carpe-diem-update-now/


How Trusted CI can help:

The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI can not provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (http://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.


  • [cv-announce-l] Apache HTTP Server privilege escalation from modules' scripts (CVE-2019-0211), Andrew K Adams, 04/04/2019

Archive powered by MHonArc 2.6.24.

Top of Page