Apache HTTP Server privilege escalation from modules' scripts (CVE-2019-0211: )

April 4, 2019

Summary

In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected. 

Acknowledgments: The issue was discovered by Charles Fol.

Impact

  • Root privilege escalation

Vulnerable

  •  Affects Apache 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17

Recommendations

  • Upgrade to Apache HTTPD 2.4.39

References