ADVISORY: Update Apache HTTP Server 2.4 to fix privileged access vulnerability
Friday, April 5, 2019
This information was sent via email to U-M IT staff groups on April 5, 2019. It is intended for U-M IT staff who are responsible for university servers running Apache HTTP Server.
A privileged access vulnerability has been found in Apache HTTP Server 2.4. An attacker having access to run arbitrary scripts on the web server could use this flaw to run code on the web server with root privileges. Update to the latest version to fix the vulnerability. This is most urgent in web hosting environments.
Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38
Update to the most recent version of Apache HTTP Server (release 2.4.39) as soon as possible after appropriate testing. This is most urgent in web hosting environments.
The vulnerability is easily exploitable and could allow an attacker to execute arbitrary code. There are no reports of exploitation in the wild.
A flaw was found in Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38 with Multi-Processing Module (MPM) event, worker, or prefork in which code executing in a less-privileged child process or thread could execute arbitrary code with the privileges of the parent process (usually root). An attacker having access to run arbitrary scripts on the web server (PHP, CGI, and so on), could use this flaw to run code on the web server with root privileges.
Information for Users
This vulnerability only affects servers, so general users will not encounter it.