Multiple vulnerabilities in Apache HTTP Server

1) Input validation error

EUVDB-ID: #VU17177

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-17189

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to an error when handling malicious input. A remote attacker can send a specially crafted request bodies in a slow loris way to plain resources and cause the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. 

Mitigation

Update to version 2.4.38.

Vulnerable software versions

Apache HTTP Server: 2.4.17 - 2.4.37

External links

http://httpd.apache.org/security/vulnerabilities_24.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Security restrictions bypass

EUVDB-ID: #VU17178

Risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-17199

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass security restrictions on the target system.

The weakness exists due to mod_session checks the session expiry time before decoding the session. A remote attacker сan cause session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded and reuse old session credentials or session IDs, which the attacker could use to access web pages previously accessed by a targeted user. 

Mitigation

Update to version 2.4.38.

Vulnerable software versions

Apache HTTP Server: 2.4.0 - 2.4.37

External links

http://httpd.apache.org/security/vulnerabilities_24.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Infinite loop

EUVDB-ID: #VU17179

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-0190

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the mod_ssl module due to improper handling of renegotiation attempts when OpenSSL 1.1.1 or later is used. A remote attacker can send a specially crafted request that submits malicious input, trigger mod_ssl loop and cause the service to crash.

Mitigation

Update to version 2.4.38.

Vulnerable software versions

Apache HTTP Server: 2.4.37

External links

http://httpd.apache.org/security/vulnerabilities_24.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.