On April 1, 2019, the Apache HTTP Server Project issued a security advisory outlining vulnerabilities that affect Apache HTTP Server version 2.4.38 and earlier. To review the security advisory, see
this article.
The Apache Server Project security advisory lists the following CVEs:
- CVE-2019-0211
- CVE-2019-0217
- CVE-2019-0215
- CVE-2019-0197
- CVE-2019-0196
- CVE-2019-0220
Description
- CVE-2019-0211
With MPM event, worker, or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root). This action is achieved by manipulating the scoreboard. Non-UNIX systems aren't affected.
- CVE-2019-0217
A race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
- CVE-2019-0215
A bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions.
- CVE-2019-0197
When HTTP/2 was enabled for an 'http: host' or H2Upgrade was enabled for h2 on an 'http: Host', an upgrade request from 'http/1.1' to 'http/2' that wasn't the first request on a connection could lead to a misconfiguration and crash. A server that never enabled the h2 protocol or that only enabled it for 'https:' and didn't configure the 'H2Upgrade on' is unaffected.
- CVE-2019-0196
Using fuzzed network input, the http/2 request handling could be made to access freed memory in string comparison when determining the method of a request and thus process the request incorrectly.
- CVE-2019-0220
When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions. While other aspects of the servers processing implicitly collapse them.
Research and Conclusions
The ePO Engineering team has researched each of the CVEs below and concluded that ePO is
not affected:
- CVE-2019-0211: ePO is Windows only and this CVE affects only UNIX systems.
- CVE-2019-0217: ePO doesn't use the mod_auth_digest module.
- CVE-2019-0215: ePO Apache doesn't support TLS1.3 yet.
- CVE-2019-0197: ePO Apache doesn't support HTTP/2 yet.
- CVE-2019-0196: ePO Apache doesn't support HTTP/2 yet.
- CVE-2019-0220: ePO doesn't use the RewriteRule directive (the rewrite module isn't even enabled), and it also doesn't use LocationMatch.
Related article:
KB82555 - ePolicy Orchestrator Sustaining Engineering Statement (SBC1407112) - ePO and modules included with the Apache HTTP server.