Recent Apache V2.4.x vulnerability clarifications

sunhux
sunhux used Ask the Experts™
on
refer to attached:

Q1:
are they affecting Apache httpd (ie web servers) 2.4.x  only
& other lower versions (eg: our Solaris 10's  Apache/2.0.63
is said to have been patched by our admin but I'm not sure)?

Q2:
So versions 2.4.x running on Windows are not affected?

Q3:
Can point me to where to get the patches for RHEL7/RHEL6
in Red Hat support portal??
advisory1.pdf
advisory2.pdf
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018
Commented:
Whether this will effect you depends on many factors.

If you can afford to be hacked, you ignore Apache updates.

If you can't afford to be hacked, always install Apache updates, the day they release.

Tip: Keep in mind Apache has many patches which come out between releases, which means you must apply every new patch which comes out too... for maximum security...

This is why it's best to run Apache using an OS like Ubuntu Bionic, which packages all Apache patches/fixes (between releases), so all patches can be easily installed too.

If you're running on Windows, you'll either have to build from source every time a patch comes out (recommended)... or...

Use some 3rd party service... which will likely lag building patches + can end up with built in backdoors.

Which brings us back to the above comment, "If you can't afford to be hacked, always install Apache updates, the day they release".

This suggest you're running Apache on a OS + Distro where all major/minor/patch releases are packaged immediately for installation.
1.  The CVE 2019-0211 specifically lists the affected versions from 2.4.17 through 2.4.38 with MPM event, worker or prefork.  All of which are fixed by 2.4.39.  If you don't have MPM events, then you should be ok.  Otherwise there's an avenue for privilege escalation.

2.  CVE 2019-0211 also specifically mentions that Windows versions are not affected.

3.  I no longer have access to their portal, but if you are licensed, you should be able to yum update apache and get their latest patch of apache installed.

Author

Commented:
Can we safely say the other two CVEs  (CVE-2019-0217 & CVE-2019-0215)
also affects "2.4.17 through 2.4.38 with MPM event, worker or prefork"
only?

How do I check if we have "MPM event, worker or prefork"?
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Forv CVE-2019-0211, check if you have  mpm_event_module enabled/installed
Here's what it is:  https://tecadmin.net/apache-mpm-prefork-and-worker-and-event/

CVE-2019-0215 affects OpenSSL, a different bug.
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions.

CVE-2019-0217 affects mod_auth_digest.
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.


You seem hesitant to update, or you would have patched without needing to ask these follow up questions.

If you don't know, or don't understand what these bugs are, then you really should just patch.  If you know what these are and know for certain that you don't use these, you can pick and choose your patches, or even patch later.  I suggest you patch, since you're asking these questions.

Author

Commented:
yes hesitant as its a major update fr ver 2.0.x to 2.4.x.
btw that link did not explain how to check if MTM is enabled

Author

Commented:
and if not used  we wud rather uninstall apache package n leave behind Tomcat
Modules are usually in the Apache configuration file, httpd.conf

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial