Recent Apache V2.4.x vulnerability clarifications

refer to attached:

Q1:
are they affecting Apache httpd (ie web servers) 2.4.x  only
& other lower versions (eg: our Solaris 10's  Apache/2.0.63
is said to have been patched by our admin but I'm not sure)?

Q2:
So versions 2.4.x running on Windows are not affected?

Q3:
Can point me to where to get the patches for RHEL7/RHEL6
in Red Hat support portal??
advisory1.pdf
advisory2.pdf
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Whether this will effect you depends on many factors.

If you can afford to be hacked, you ignore Apache updates.

If you can't afford to be hacked, always install Apache updates, the day they release.

Tip: Keep in mind Apache has many patches which come out between releases, which means you must apply every new patch which comes out too... for maximum security...

This is why it's best to run Apache using an OS like Ubuntu Bionic, which packages all Apache patches/fixes (between releases), so all patches can be easily installed too.

If you're running on Windows, you'll either have to build from source every time a patch comes out (recommended)... or...

Use some 3rd party service... which will likely lag building patches + can end up with built in backdoors.

Which brings us back to the above comment, "If you can't afford to be hacked, always install Apache updates, the day they release".

This suggest you're running Apache on a OS + Distro where all major/minor/patch releases are packaged immediately for installation.
serialbandCommented:
1.  The CVE 2019-0211 specifically lists the affected versions from 2.4.17 through 2.4.38 with MPM event, worker or prefork.  All of which are fixed by 2.4.39.  If you don't have MPM events, then you should be ok.  Otherwise there's an avenue for privilege escalation.

2.  CVE 2019-0211 also specifically mentions that Windows versions are not affected.

3.  I no longer have access to their portal, but if you are licensed, you should be able to yum update apache and get their latest patch of apache installed.
sunhuxAuthor Commented:
Can we safely say the other two CVEs  (CVE-2019-0217 & CVE-2019-0215)
also affects "2.4.17 through 2.4.38 with MPM event, worker or prefork"
only?

How do I check if we have "MPM event, worker or prefork"?
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

serialbandCommented:
Forv CVE-2019-0211, check if you have  mpm_event_module enabled/installed
Here's what it is:  https://tecadmin.net/apache-mpm-prefork-and-worker-and-event/

CVE-2019-0215 affects OpenSSL, a different bug.
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions.

CVE-2019-0217 affects mod_auth_digest.
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.


You seem hesitant to update, or you would have patched without needing to ask these follow up questions.

If you don't know, or don't understand what these bugs are, then you really should just patch.  If you know what these are and know for certain that you don't use these, you can pick and choose your patches, or even patch later.  I suggest you patch, since you're asking these questions.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
yes hesitant as its a major update fr ver 2.0.x to 2.4.x.
btw that link did not explain how to check if MTM is enabled
sunhuxAuthor Commented:
and if not used  we wud rather uninstall apache package n leave behind Tomcat
serialbandCommented:
Modules are usually in the Apache configuration file, httpd.conf
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.