ArchLinux: 201901-14: apache: multiple issues

    Date27 Jan 2019
    CategoryArchLinux
    798
    Posted ByAnthony Pell
    The package apache before version 2.4.38-1 is vulnerable to multiple issues including denial of service and insufficient validation.
    Arch Linux Security Advisory ASA-201901-14
    ==========================================
    
    Severity: High
    Date    : 2019-01-24
    CVE-ID  : CVE-2018-17189 CVE-2018-17199 CVE-2019-0190
    Package : apache
    Type    : multiple issues
    Remote  : Yes
    Link    : https://security.archlinux.org/AVG-857
    
    Summary
    =======
    
    The package apache before version 2.4.38-1 is vulnerable to multiple
    issues including denial of service and insufficient validation.
    
    Resolution
    ==========
    
    Upgrade to 2.4.38-1.
    
    # pacman -Syu "apache>=2.4.38-1"
    
    The problems have been fixed upstream in version 2.4.38.
    
    Workaround
    ==========
    
    - CVE-2018-17189
    
    Disable the h2 protocol.
    
    Description
    ===========
    
    - CVE-2018-17189 (denial of service)
    
    By sending request bodies in a slow loris way to plain resources, the
    h2 stream of Apache HTTP Server before 2.4.38 for that request
    unnecessarily occupied a server thread cleaning up that incoming data.
    This affects only HTTP/2 connections. A possible mitigation is to not
    enable the h2 protocol.
    
    - CVE-2018-17199 (insufficient validation)
    
    In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks
    the session expiry time before decoding the session. This causes
    session expiry time to be ignored for mod_session_cookie sessions since
    the expiry time is loaded when the session is decoded.
    
    - CVE-2019-0190 (denial of service)
    
    A bug exists in the way mod_ssl handled client renegotiations. A remote
    attacker could send a carefully crafted request that would cause
    mod_ssl to enter a loop leading to a denial of service. This bug can be
    only triggered with Apache HTTP Server version 2.4.37 when using
    OpenSSL version 1.1.1 or later, due to an interaction in changes to
    handling of renegotiation attempts.
    
    Impact
    ======
    
    An attacker is able to crash the Apache server by sending maliciously-
    crafted h2 requests and SSL handshakes. In addition, an attacker is
    able to reuse an expired session.
    
    References
    ==========
    
    https://httpd.apache.org/security/vulnerabilities_24.html#2.4.38
    https://security.archlinux.org/CVE-2018-17189
    https://security.archlinux.org/CVE-2018-17199
    https://security.archlinux.org/CVE-2019-0190
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":54.35,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":10.87,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"16","type":"x","order":"3","pct":34.78,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.