The Apache HTTP Server is a popular open-source web server software that can be deployed across multiple platforms and environments. Affected versions of this software are vulnerable to illicit root privilege escalation. This vulnerability can be exploited when a malicious user executes arbitrary code and gains root privileges on a targeted system. Non-Unix systems are not affected.
The CVE-2019-0211 vulnerability is found in Apache Multi-Processing Modules (MPMs), mostly mpm_prefork_module, mpm_worker_module, and mpm_event_module. Basically, the Apache web server utilizes a shared-memory region called scoreboard to keep track of worker processes (less-privileged child activities) managed by mpm_prefork_module (root privileges). To exploit this flaw, a hacker could get read/write access of a worker process (via a separate exploit) and then manipulate the scoreboard used for parent (usually the root) and child interactions. When manipulating the scoreboard, the hacker could implement an arbitrary script that makes the scoreboard point to a rogue worker. Consequently, the hacker’s nefarious code could be triggered by an Apache graceful restart (apache2ctl graceful), which is usually initiated by the logrotate system utility every 24 hours. This way, an intruder could use this vulnerability to upload and execute scripts on the web server with root privileges.
CVE-2019-0211 only affects UNIX-like systems running Apache servers from versions 2.4.17 (October 9th, 2015) to 2.4.38 (April 1st, 2019). This vulnerability is particularly troublesome to hosting companies providing “shared web hosting plans,” which allow multiple users to share the same parent Apache server for hosting their websites.
To fix this privilege escalation bug, upgrade your Apache HTTP Server to version 2.4.39 (released on April 1st, 2019), or higher. Various UNIX distributions, such as Ubuntu, Debian, and SuSE, have already issued package updates to patch this flaw. So, users are advised to install these updates on their systems as soon as possible.
Use the latest version of the Apache HTTP Server Avoid shared web hosting plans