Synology-SA-19:14 Apache HTTP Server

Publish Time: 2019-04-03 14:41:40 UTC+8

Last Updated: 2019-05-15 17:45:34 UTC+8

Severity
Important
Status
Resolved

Abstract

CVE-2019-0211 allows local users to conduct privilege escalation attacks via a susceptible version of Apache HTTP server 2.4.

Affected Products

Product Severity Fixed Release Availability
Apache HTTP Server 2.2 Not affected N/A
Apache HTTP Server 2.4 Important Upgrade to 2.4.39-0014 or above.

Mitigation

None

Detail

  • CVE-2019-0211
    • Severity: Important
    • CVSS3 Base Score: 7.5
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
    • In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

Reference

Revision

Revision Date Description
1 2019-04-03 Initial public release.
2 2019-04-03 Update for Apache HTTP Server 2.4 is now available in Affected Products.
3 2019-05-15 Disclosed vulnerability details.