SOLVED [EA-8307] Update ea-apache24 to 2.4.39 for CVE-2019-0211

[Augusto Florentino]

source : New Apache Web Server Bug Threatens Security of Shared Web Hosts

Mark J Cox, one of the founding members of the Apache Software Foundation and the OpenSSL project, today posted a tweet twitter.com/iamamoose/status/1112966189276389376' warning users about a recently discovered important flaw in Apache HTTP Server software.

The Apache web server is one of the most popular, widely used open-source web servers in the world that powers almost 40 percent of the whole Internet.

The vulnerability, identified as CVE-2019-0211, was discovered by Charles Fol, a security engineer at Ambionics Security firm, and patched by the Apache developers in the latest version 2.4.39 of its software released today.

The flaw affects Apache HTTP Server versions 2.4.17 through 2.4.38 and could allow any less-privileged user to execute arbitrary code with root privileges on the targeted server.

"In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected," the advisory says.
According to Cox, the vulnerability is more concerning for shared web hosting services, where malicious customers or a hacker with ability to execute PHP or CGI scripts on a website can make use of the flaw to gain root access on the server, eventually compromising all other websites hosted on the same server.

Besides this, the latest Apache httpd 2.4.39 version also patches three low and two other important severity issues.

The second important flaw (CVE-2019-0217) could allow "a user with valid credentials to authenticate using another username, bypassing configured access control restrictions."

The third vulnerability is a mod_ssl access control bypass (CVE-2019-0215), "a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions."

We have seen how previous disclosures of severe flaws in web application frameworks have resulted in PoC exploits being published within a day and exploitation in the wild, putting critical infrastructure as well as customers' data at risk.

Therefore, web hosting services, organizations managing their own servers and website administrators are strongly advised to upgrade their Apache HTTP instances to the latest versions as soon as possible.

 

[cPanelMichael]

Hello @Augusto Florentino,

We're aware of the security report and plan to publish the patched Apache version as part of internal case EA-8307. I'll monitor the case and update this thread as soon as it's published.

Thanks!

Update:

Hello Everyone,

The updated EA4 packages were just published: EasyApache 4 Apr 3 Release

1. You can apply the updated packages by running the following command as root:

yum clean all; yum update;

2. You can verify Apache version 2.4.39 is installed by running the following command as root:

httpd -version

The output should look like this:

# httpd -version
Server version: Apache/2.4.39 (cPanel)
Server built:   Apr  3 2019 14:59:13

For CloudLinux customers
CloudLinux has published updated packages to their EA4 repo:

ea-apache24-2.4.39-1.cloudlinux major security update

Thank you.

Edit 1: Updated CloudLinux blog link to reflect package availability on their stable EA4 repo.

 

[WebJIVE]

Yeah, this has to get patched pretty quick.

 

[Domenico]

Is Apache (2.4.38-3.3.1.cpanel) used with current cPanel vulnerable?


Apache HTTP 2.4.17 to 2.4.38 is vulnerable to a local root exploit when mod_prefork, mod_worker and mod_event are used:

httpd 2.4 vulnerabilities - The Apache HTTP Server Project

We are hearing reports of exploit(s) already being produced and strongly recommend that everyone update to Apache HTTP 2.4.39 as soon as possible - especially in shared hosting environments!

Apache HTTP Server Project

Apache web server bug grants root access on shared hosting environments | ZDNet

 

[niceboy]

Do we have any updates on this? Seems to be a critical vulnerability.

 

[gPowerHost]

How much longer will this update take? Are we talking hours or days?

 

[cPanelMichael]

How much longer will this update take? Are we talking hours or days?

It's tentatively scheduled for publication later today. I'll update this thread with more information as soon as it's available.

Thank you.

 

[Marcio Vecchi]

We are waiting for the update, because we are worried about the vulnerabilities

 

[sneader]

For those of you using CloudLinux, see this thread, for how you can update now:

CVE-2019-0211 Apache HTTP Server privilege escalation from modules' scripts

 

[nibb]

Why is this taking so long? All cPanel has to do is send the patch down from the upstream RHEL. At this point I cannot wait to see how many people are attacking cPanel servers and gaining root access. This security hole is SERIOUS and is already being exploited in the wild. Its 24 hours now and no patch available.

 

[Giannis]

Just to have it handy here, if you are using CL you can update using yum update -y ea-apache24* --enablerepo=cl-ea4-testing --exclude=ea-apache24-mod_lsapi

 

[nibb]

Just to have it handy here, if you are using CL you can update using yum update -y ea-apache24* --enablerepo=cl-ea4-testing --exclude=ea-apache24-mod_lsapi

I have CL but I don't feel like I should be enabling a TESTING repo to get a security patch. In particular because cPanel should be sending the patch faster than CloudLinux, at least they should. I want an official release.

 

[vacancy]

Updated ea files began to appear on test mirror server.

It will start publish in a short time.

 

[sparek-3]

I have to say, it's a bit disturbing at the length of time this is taking cPanel to release a fix.

Changes to the EA4 Apache repository for this were made yesterday, yet we still don't have any rpms out to the mirrors.

But anybody using CloudLinux will have to defer to CloudLinux on this. If you are using CloudLinux, then you are using CloudLinux packaged Apache and PHP. You're not using anything related to cPanel in regards to Apache and PHP.

Those of us that aren't using CloudLinux have to depend on cPanel to release these updates.

 

[Giannis]

It is just updating apache to 2.4.39

 

[FrankS]

Hello @Augusto Florentino,

We're aware of the security report and plan to publish the patched Apache version as part of internal case EA-8307. I'll monitor the case and update this thread as soon as it's published.

Thanks!

A update would be nice regarding this.

 

[DataCenterGuy]

It's tentatively scheduled for publication later today. I'll update this thread with more information as soon as it's available.

Thank you.

Can we get a status update on the patch being published for the standard kernel? Thanks.

 

[cPanelMichael]

Hello Everyone,

We're aiming to publish the updated packages today, pending successful build quality tests. I don't have a specific time frame to provide, but I'll update this thread as soon as the new packages are published.

Thank you.

 

[FrankS]

Hello Everyone,

We're aiming to publish the updated packages today, pending successful build quality tests. I don't have a specific time frame to provide, but I'll update this thread as soon as the new packages are published.

Thank you.

I would suggest putting the packages on a beta/experimental repository as they are now. The exploit is rather severe and the only mitigation that I could think of doing is to disable user FTP access and a few other features. It doesn't exactly exclusively mitigate the issue, but it will definitely add a line of defense to the situation.

 

[nibb]

Hello Everyone,

We're aiming to publish the updated packages today, pending successful build quality tests. I don't have a specific time frame to provide, but I'll update this thread as soon as the new packages are published.

Thank you.

I don't think quality is a concern right now for most users. Those that are updating today are pending over this thread already or checking their servers all the time, those that don't they are not even aware the issue exists. I would rather have a temporary buggy web server, than a root hacked server that makes you lose customers and having to rebuild everything from scratch. Giving this is being exploited as we speak security should trump quality testing right now.