SB2019040243 - Privilege escalation in apache2 (Alpine package)
Published: April 2, 2019
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Privilege escalation (CVE-ID: CVE-2019-0211)
CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:A/U:Clear
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists within MPM implementation due to the application does not properly maintain each child's listener bucket number in the scoreboard that may lead to unprivileged code or scripts run by server (e.g. via mod_php) to modify the scoreboard and abuse the privileged main process.
A local user can execute arbitrary code on the system with privileges of the Apache HTTP Server code process.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=0342bb148db2b28dcced8a4c5b8e2840f3af9a44
- https://git.alpinelinux.org/aports/commit/?id=9d23763439dabef4a81c7cc9c061b69048df9708
- https://git.alpinelinux.org/aports/commit/?id=bbf41c02f848c8e5967bd857c6988274dc55f068
- https://git.alpinelinux.org/aports/commit/?id=ef86fbabe1c2c14cf06d8c26c6141b650e92049d