Thursday, April 4, 2019

Apache 2.4.39 important security release (CVE-2019-0211, CVE-2019-0217 and CVE-2019-0215)

[Update 2019-04-12]

New versions of all the Bitnami affected solutions were submitted to the different cloud platforms.


The Apache project recently released a new version that includes the following important security updates that affect many different versions of the Apache server:

  • Apache HTTP Server privilege escalation from modules' scripts (CVE-2019-0211): Code executing in less-privileged child processes or threads could execute arbitrary code with the privileges of the parent process.
  • mod_auth_digest access control bypass (CVE-2019-0217): A race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username.
  • mod_ssl access control bypass (CVE-2019-0215): A bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions.

Apart from these three vulnerabilities, the latest version of the server is also resolves other low-security issues. You can find more information about them in the official announcement.

Our team is working on updating the affected applications and we will release  updated versions of them soon.  We will be revisiting this blog post to keep you informed about the latest news on this security update.

If you have further questions about this security issue, please post to our community forum, where we will be happy to help.