ADVISORY: Update Apache HTTP Server 2.4 to fix privileged access vulnerability

Friday, April 5, 2019

This information was sent via email to U-M IT staff groups on April 5, 2019. It is intended for U-M IT staff who are responsible for university servers running Apache HTTP Server.

Summary

A privileged access vulnerability has been found in Apache HTTP Server 2.4. An attacker having access to run arbitrary scripts on the web server could use this flaw to run code on the web server with root privileges. Update to the latest version to fix the vulnerability. This is most urgent in web hosting environments.

Problem

A flaw has been found in Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38. An attacker with access to run arbitrary scripts on the web server (PHP, CGI, and so on) could use this flaw to run code on the web server with root privileges.

Threats

The vulnerability is easily exploitable and could allow an attacker to execute arbitrary code. There are no reports of exploitation in the wild.

Affected Versions

Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38

Action Items

Update to the most recent version of Apache HTTP Server (release 2.4.39) as soon as possible after appropriate testing. This is most urgent in web hosting environments.

Technical Details

A flaw was found in Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38 with Multi-Processing Module (MPM) event, worker, or prefork in which code executing in a less-privileged child process or thread could execute arbitrary code with the privileges of the parent process (usually root). An attacker having access to run arbitrary scripts on the web server (PHP, CGI, and so on), could use this flaw to run code on the web server with root privileges.

Information for Users

This vulnerability only affects servers, so general users will not encounter it.