The problem poses the greatest threat to shared web hosting services.
The Apache Software Foundation has fixed a dangerous vulnerability in Apache HTTP Server 2.4 that, under certain circumstances, could allow code to run as root and take control of the server.
The issue (CVE-2019-0211) only affects versions of Apache on Unix systems (Apache 2.4.17 to 2.4.38) and allows a less privileged user to execute code as root on the target server. According to the developers, a less privileged Apache child process (such as a CGI script) can execute code with the rights of the parent process. Since the Apache web server runs as root on most Unix systems, any attacker who injects a malicious CGI script into the Apache server can exploit the vulnerability and take control of the entire system.
The problem poses the greatest threat to shared web hosting services. As noted, CVE-2019-0211 is a local vulnerability, and in order to exploit it, an attacker must initially have access to the server (either by creating their own account or by compromising existing accounts). It can then download a malicious PHP or CGI script and compromise websites hosted on the server or steal data from other clients stored on the machine.
The vulnerability has already been fixed in Apache httpd 2.4.39. In addition to the above, the update also fixes a number of other less dangerous bugs, including vulnerabilities (CVE-2019-0217 and CVE-2019-0215) that allow bypassing access restrictions. Users are advised to install the update as soon as possible.
The Apache Software Foundation has fixed a dangerous vulnerability in Apache HTTP Server 2.4 that, under certain circumstances, could allow code to run as root and take control of the server.
The issue (CVE-2019-0211) only affects versions of Apache on Unix systems (Apache 2.4.17 to 2.4.38) and allows a less privileged user to execute code as root on the target server. According to the developers, a less privileged Apache child process (such as a CGI script) can execute code with the rights of the parent process. Since the Apache web server runs as root on most Unix systems, any attacker who injects a malicious CGI script into the Apache server can exploit the vulnerability and take control of the entire system.
The problem poses the greatest threat to shared web hosting services. As noted, CVE-2019-0211 is a local vulnerability, and in order to exploit it, an attacker must initially have access to the server (either by creating their own account or by compromising existing accounts). It can then download a malicious PHP or CGI script and compromise websites hosted on the server or steal data from other clients stored on the machine.
The vulnerability has already been fixed in Apache httpd 2.4.39. In addition to the above, the update also fixes a number of other less dangerous bugs, including vulnerabilities (CVE-2019-0217 and CVE-2019-0215) that allow bypassing access restrictions. Users are advised to install the update as soon as possible.