Home > Vulnerability Database > CVE-2019-0211

Mend.io Vulnerability Database

New vulnerability? Tell us about it!

CVE-2019-0211

Date: April 8, 2019

Overview

The Apache HTTP Server is a popular open-source web server software that can be deployed across multiple platforms and environments. Affected versions of this software are vulnerable to illicit root privilege escalation. This vulnerability can be exploited when a malicious user executes arbitrary code and gains root privileges on a targeted system. Non-Unix systems are not affected.

Details

The CVE-2019-0211 vulnerability is found in Apache Multi-Processing Modules (MPMs), mostly mpm_prefork_module, mpm_worker_module, and mpm_event_module. Basically, the Apache web server utilizes a shared-memory region called scoreboard to keep track of worker processes (less-privileged child activities) managed by mpm_prefork_module (root privileges). To exploit this flaw, a hacker could get read/write access of a worker process (via a separate exploit) and then manipulate the scoreboard used for parent (usually the root) and child interactions. When manipulating the scoreboard, the hacker could implement an arbitrary script that makes the scoreboard point to a rogue worker. Consequently, the hacker’s nefarious code could be triggered by an Apache graceful restart (apache2ctl graceful), which is usually initiated by the logrotate system utility every 24 hours. This way, an intruder could use this vulnerability to upload and execute scripts on the web server with root privileges.

Affected Environments

CVE-2019-0211 only affects UNIX-like systems running Apache servers from versions 2.4.17 (October 9th, 2015) to 2.4.38 (April 1st, 2019). This vulnerability is particularly troublesome to hosting companies providing “shared web hosting plans,” which allow multiple users to share the same parent Apache server for hosting their websites.

Remediation

To fix this privilege escalation bug, upgrade your Apache HTTP Server to version 2.4.39 (released on April 1st, 2019), or higher. Various UNIX distributions, such as Ubuntu, Debian, and SuSE, have already issued package updates to patch this flaw. So, users are advised to install these updates on their systems as soon as possible.

Prevention

Use the latest version of the Apache HTTP Server Avoid shared web hosting plans

Language: C

Good to know:

7.8

Permissions, Privileges, and Access Control

CWE-264

Use After Free

CWE-416

Upgrade Version

Upgrade to version 2.4.39

CVSS v3.1
CVSS v2

Base Score:	7.8
Attack Vector (AV):	Local
Attack Complexity (AC):	Low
Privileges Required (PR):	Low
User Interaction (UI):	None
Scope (S):	Unchanged
Confidentiality (C):	High
Integrity (I):	High
Availability (A):	High

Base Score:	7.2
Access Vector (AV):	Local
Access Complexity (AC):	Low
Authentication (AU):	None
Confidentiality (C):	Complete
Integrity (I):	Complete
Availability (A):	Complete
Additional information:

Related Resources (57)

Url: https://lists.apache.org/thread.html/de881a130bc9cb2f3a9ff220784520556884fb8ea80e69400a45509e@%3Cdev.community.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2019:1297

Url: https://www.oracle.com/security-alerts/cpuapr2020.html

Url: https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Url: https://access.redhat.com/errata/RHSA-2019:1296

Url: https://lists.apache.org/thread.html/b2bdb308dc015e771ba79c0586b2de6fb50caa98b109833f5d4daf28@%3Cdev.community.apache.org%3E

Url: https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234@%3Ccvs.httpd.apache.org%3E

Url: https://www.exploit-db.com/exploits/46676/

Url: https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a@%3Ccvs.httpd.apache.org%3E

Url: https://security.gentoo.org/glsa/201904-20

Url: https://www.debian.org/security/2019/dsa-4422

Url: https://access.redhat.com/security/cve/CVE-2019-0211

Url: https://security.netapp.com/advisory/ntap-20190423-0001/

Url: https://usn.ubuntu.com/3937-1/

Url: https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d@%3Ccvs.httpd.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2019:1543

Url: http://www.securityfocus.com/bid/107666

Url: https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9@%3Ccvs.httpd.apache.org%3E

Url: http://www.apache.org/dist/httpd/CHANGES_2.4.39

Url: https://support.f5.com/csp/article/K32957101

Url: https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E

Url: http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00061.html

Url: https://seclists.org/bugtraq/2019/Apr/16

Url: https://www.synology.com/security/advisory/Synology_SA_19_14

Url: http://www.openwall.com/lists/oss-security/2019/04/02/3

Url: https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830@%3Ccvs.httpd.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2019:0980

Url: https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf@%3Ccvs.httpd.apache.org%3E

Url: http://www.openwall.com/lists/oss-security/2019/07/26/7

Url: https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f@%3Ccvs.httpd.apache.org%3E

Url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Url: https://nvd.nist.gov/vuln/detail/CVE-2019-0211

Url: https://lists.apache.org/thread.html/890507b85c30adf133216b299cc35cd8cd0346a885acfc671c04694e@%3Cdev.community.apache.org%3E

Url: https://httpd.apache.org/security/vulnerabilities_24.html

Url: http://packetstormsecurity.com/files/152415/Slackware-Security-Advisory-httpd-Updates.html

Url: https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03950en_us

Url: https://seclists.org/bugtraq/2019/Apr/5

Url: https://lists.apache.org/thread.html/b1613d44ec364c87bb7ee8c5939949f9b061c05c06e0e90098ebf7aa@%3Cusers.httpd.apache.org%3E

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ALIR5S3O7NRHEGFMIDMUSYQIZOE4TJJN/

Url: https://security-tracker.debian.org/tracker/CVE-2019-0211

Url: https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920@%3Ccvs.httpd.apache.org%3E

Url: https://lists.apache.org/thread.html/fd110f4ace2d8364c7d9190e1993cde92f79e4eb85576ed9285686ac@%3Ccvs.httpd.apache.org%3E

Url: https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9@%3Ccvs.httpd.apache.org%3E

Url: http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.html

Url: http://packetstormsecurity.com/files/152386/Apache-2.4.38-Root-Privilege-Escalation.html

Url: https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538@%3Ccvs.httpd.apache.org%3E

Url: http://packetstormsecurity.com/files/152441/CARPE-DIEM-Apache-2.4.x-Local-Privilege-Escalation.html

Url: https://security.alpinelinux.org/vuln/CVE-2019-0211

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WETXNQWNQLWHV6XNW6YTO5UGDTIWAQGT/

Url: https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba@%3Ccvs.httpd.apache.org%3E

Url: https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d@%3Ccvs.httpd.apache.org%3E

Url: https://access.redhat.com/errata/RHBA-2019:0959

Url: https://access.redhat.com/errata/RHSA-2019:0746

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2019-0211

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZRMTEIGZKYFNGIDOTXN3GNEJTLVCYU7/

Url: http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.html

Url: https://www.mend.io/vulnerability-database/CVE-2019-0211