SOLVED [EA-8307] Update ea-apache24 to 2.4.39 for CVE-2019-0211

Augusto Florentino

Registered
Feb 5, 2019
1
1
3
Morocco
cPanel Access Level
Root Administrator
source : New Apache Web Server Bug Threatens Security of Shared Web Hosts

Mark J Cox, one of the founding members of the Apache Software Foundation and the OpenSSL project, today posted a tweet twitter.com/iamamoose/status/1112966189276389376' warning users about a recently discovered important flaw in Apache HTTP Server software.

The Apache web server is one of the most popular, widely used open-source web servers in the world that powers almost 40 percent of the whole Internet.

The vulnerability, identified as CVE-2019-0211, was discovered by Charles Fol, a security engineer at Ambionics Security firm, and patched by the Apache developers in the latest version 2.4.39 of its software released today.

The flaw affects Apache HTTP Server versions 2.4.17 through 2.4.38 and could allow any less-privileged user to execute arbitrary code with root privileges on the targeted server.

"In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected," the advisory says.
According to Cox, the vulnerability is more concerning for shared web hosting services, where malicious customers or a hacker with ability to execute PHP or CGI scripts on a website can make use of the flaw to gain root access on the server, eventually compromising all other websites hosted on the same server.

Besides this, the latest Apache httpd 2.4.39 version also patches three low and two other important severity issues.

The second important flaw (CVE-2019-0217) could allow "a user with valid credentials to authenticate using another username, bypassing configured access control restrictions."

The third vulnerability is a mod_ssl access control bypass (CVE-2019-0215), "a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions."

We have seen how previous disclosures of severe flaws in web application frameworks have resulted in PoC exploits being published within a day and exploitation in the wild, putting critical infrastructure as well as customers' data at risk.

Therefore, web hosting services, organizations managing their own servers and website administrators are strongly advised to upgrade their Apache HTTP instances to the latest versions as soon as possible.
 
Last edited by a moderator:
  • Like
Reactions: WebJIVE

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Hello @Augusto Florentino,

We're aware of the security report and plan to publish the patched Apache version as part of internal case EA-8307. I'll monitor the case and update this thread as soon as it's published.

Thanks!

Update:

Hello Everyone,

The updated EA4 packages were just published: EasyApache 4 Apr 3 Release

1. You can apply the updated packages by running the following command as root:

Code:
yum clean all; yum update;
2. You can verify Apache version 2.4.39 is installed by running the following command as root:

Code:
httpd -version
The output should look like this:
Code:
# httpd -version
Server version: Apache/2.4.39 (cPanel)
Server built:   Apr  3 2019 14:59:13
For CloudLinux customers
CloudLinux has published updated packages to their EA4 repo:

ea-apache24-2.4.39-1.cloudlinux major security update

Thank you.

Edit 1: Updated CloudLinux blog link to reflect package availability on their stable EA4 repo.
 
Last edited:

WebJIVE

Well-Known Member
Sep 30, 2007
71
6
58
Yeah, this has to get patched pretty quick.
 

Domenico

Well-Known Member
Aug 14, 2001
378
12
318
Is Apache (2.4.38-3.3.1.cpanel) used with current cPanel vulnerable?


Apache HTTP 2.4.17 to 2.4.38 is vulnerable to a local root exploit when mod_prefork, mod_worker and mod_event are used:

httpd 2.4 vulnerabilities - The Apache HTTP Server Project

We are hearing reports of exploit(s) already being produced and strongly recommend that everyone update to Apache HTTP 2.4.39 as soon as possible - especially in shared hosting environments!

Apache HTTP Server Project

Apache web server bug grants root access on shared hosting environments | ZDNet
 

nibb

Well-Known Member
Mar 22, 2008
319
5
68
Why is this taking so long? All cPanel has to do is send the patch down from the upstream RHEL. At this point I cannot wait to see how many people are attacking cPanel servers and gaining root access. This security hole is SERIOUS and is already being exploited in the wild. Its 24 hours now and no patch available.
 

Giannis

Well-Known Member
PartnerNOC
Jun 22, 2005
67
0
156
Just to have it handy here, if you are using CL you can update using yum update -y ea-apache24* --enablerepo=cl-ea4-testing --exclude=ea-apache24-mod_lsapi
 

nibb

Well-Known Member
Mar 22, 2008
319
5
68
Just to have it handy here, if you are using CL you can update using yum update -y ea-apache24* --enablerepo=cl-ea4-testing --exclude=ea-apache24-mod_lsapi
I have CL but I don't feel like I should be enabling a TESTING repo to get a security patch. In particular because cPanel should be sending the patch faster than CloudLinux, at least they should. I want an official release.
 

sparek-3

Well-Known Member
Aug 10, 2002
1,985
218
343
cPanel Access Level
Root Administrator
I have to say, it's a bit disturbing at the length of time this is taking cPanel to release a fix.

Changes to the EA4 Apache repository for this were made yesterday, yet we still don't have any rpms out to the mirrors.

But anybody using CloudLinux will have to defer to CloudLinux on this. If you are using CloudLinux, then you are using CloudLinux packaged Apache and PHP. You're not using anything related to cPanel in regards to Apache and PHP.

Those of us that aren't using CloudLinux have to depend on cPanel to release these updates.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,910
2,213
363
Hello Everyone,

We're aiming to publish the updated packages today, pending successful build quality tests. I don't have a specific time frame to provide, but I'll update this thread as soon as the new packages are published.

Thank you.
 

FrankS

Registered
Apr 3, 2019
3
0
1
Winston Salem
cPanel Access Level
Root Administrator
Hello Everyone,

We're aiming to publish the updated packages today, pending successful build quality tests. I don't have a specific time frame to provide, but I'll update this thread as soon as the new packages are published.

Thank you.
I would suggest putting the packages on a beta/experimental repository as they are now. The exploit is rather severe and the only mitigation that I could think of doing is to disable user FTP access and a few other features. It doesn't exactly exclusively mitigate the issue, but it will definitely add a line of defense to the situation.
 

nibb

Well-Known Member
Mar 22, 2008
319
5
68
Hello Everyone,

We're aiming to publish the updated packages today, pending successful build quality tests. I don't have a specific time frame to provide, but I'll update this thread as soon as the new packages are published.

Thank you.
I don't think quality is a concern right now for most users. Those that are updating today are pending over this thread already or checking their servers all the time, those that don't they are not even aware the issue exists. I would rather have a temporary buggy web server, than a root hacked server that makes you lose customers and having to rebuild everything from scratch. Giving this is being exploited as we speak security should trump quality testing right now.
 
  • Like
Reactions: sparek-3 and FrankS