Major Vulnerability in Apache 2.4.17 - 2.4.38

#1

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-0211

This could be really devastating in shared hosting environments. Unless I’m overlooking something, all CentOS 7 + cPanel servers are currently running Apache 2.4.38, making them potentially vulnerable. Perhaps jailshell offers protection in this case, I’m not sure.

If you can update to 2.4.39, you should definitely do so.

7 Likes

#2

It requires to run something under the Apache process itself.
And I don’t think cPanel uses mod_php, right?

1 Like

#3

True, pretty sure suPHP is still the norm there. CGI scripts may be an attack vector then.

0 Likes

#4

Most user will have Apache installed via repo so you will just have to wait until it gets updated to .39 or the fix gets backported most major distro will probably have a patched version within a few days time.

Based on Cpanel forum they are saying sometime today https://forums.cpanel.net/threads/ea-8307-update-ea-apache24-to-2-4-39-for-cve-2019-0211.650517/

Debian stretch already released a fix 2.4.25-3+deb9u7 CVE-2019-0211

1 Like

#5

Already in Devuan ascii-backports, but I’m just repeating @Razza

0 Likes

#6

Note that httpd in CentOS 7 / RHEL 7 repos is not vulnerable, no need to panic on these systems unless installed a newer version from elsewhere.

2 Likes

#7

Awesome. I suppose then that really rules out the most common setups. Especially in shared hosting.

0 Likes

#8

Yeah, the problem is that people might install Apache/httpd from other sources than the official repos (which has version 2.4.6 from 2013). Not sure what cPanel installs.

1 Like

#9

I believe Cpanel uses their own repo’s for a number of software including Apache.

0 Likes

#10

Nice! Looks like nginx is still the king of the hill

1 Like