ADVISORY: Update Apache HTTP Server 2.4 to fix privileged access vulnerability

A privileged access vulnerability has been found in Apache HTTP Server 2.4. An attacker having access to run arbitrary scripts on the web server could use this flaw to run code on the web server with root privileges. Update to the latest version to fix the vulnerability. This is most urgent in web hosting environments.

A flaw has been found in Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38. An attacker with access to run arbitrary scripts on the web server (PHP, CGI, and so on) could use this flaw to run code on the web server with root privileges.

The vulnerability is easily exploitable and could allow an attacker to execute arbitrary code. There are no reports of exploitation in the wild.

Update to the most recent version of Apache HTTP Server (release 2.4.39) as soon as possible after appropriate testing. This is most urgent in web hosting environments.

A flaw was found in Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38 with Multi-Processing Module (MPM) event, worker, or prefork in which code executing in a less-privileged child process or thread could execute arbitrary code with the privileges of the parent process (usually root). An attacker having access to run arbitrary scripts on the web server (PHP, CGI, and so on), could use this flaw to run code on the web server with root privileges.

This vulnerability only affects servers, so general users will not encounter it.

• [USN-3937-1] Apache HTTP Server vulnerabilities (4/4/19)
• Apache HTTP Server 2.4.39 Released (4/1/19)
• Red Hat Bugzilla – Bug 1694980 (4/4/19)
• Apache HTTP Server Project: HTTP Server 2.4 Vulnerabilities
• CVE-2019-0211