Published: 30/01/2019 Updated: 20/07/2021
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache http_server 2.4.37

oracle enterprise manager ops center 12.3.3

oracle hospitality guest access 4.2.0

oracle hospitality guest access 4.2.1

oracle instantis enterprisetrack 17.1

oracle instantis enterprisetrack 17.2

oracle instantis enterprisetrack 17.3

oracle retail xstore point of service 7.0

oracle retail xstore point of service 7.1

Vendor Advisories

Debian Bug report logs - #920220 apache2: CVE-2019-0190: mod_ssl 2437 remote DoS when used with OpenSSL 111 Package: src:apache2; Maintainer for src:apache2 is Debian Apache Maintainers <debian-apache@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 22 Jan 2019 20:21:02 UTC Seve ...
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem When the candidate has been publicized, the details for this candidate will be provided ...
A bug exists in the way mod_ssl handled client renegotiations A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service This bug can be only triggered with Apache HTTP Server version 2437 when using OpenSSL version 111 or later, due to an interaction in changes to handling ...
Arch Linux Security Advisory ASA-201901-14 ========================================== Severity: High Date : 2019-01-24 CVE-ID : CVE-2018-17189 CVE-2018-17199 CVE-2019-0190 Package : apache Type : multiple issues Remote : Yes Link : securityarchlinuxorg/AVG-857 Summary ======= The package apache before version 2438-1 is vul ...
In Apache HTTP server by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data This affects only HTTP/2 (mod_http2) connections (CVE-2018-17189) A bug exists in the way mod_ssl handled client renegotiations A remote attacker could send ...
Apache HTTP Server has security vulnerabilities that allows a remote attacker to exploit the application Respective security vulnerabilities are discussed in detail in the subsequent sections ...
Oracle Solaris Third Party Bulletin - April 2019 Description The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] httpd (SSA:2019-022-01) New httpd packages are available for Slackware 140, 141, 142, and -current to fix security issues Here are the details from the Slackware 142 ChangeLog: +--------------------------+ patches/packages/httpd-2438-i586-1_slack142txz: Upgraded Th ...

Github Repositories

Simulating a DoS attack - Client SSL Renegotiation - mod_ssl 2.4.37 & openssl 1.1.1

SIMPY_DoS Simulating a DoS attack - Client SSL Renegotiation - mod_ssl 2437 & openssl 111 CVE 2019-0190 Requirements: SimPy version 231 This code simulates with SimPy parallel SSLConnection and many Renegotiation for each SSLConnection Variables: time >> represents the CPU time of full handshake (You can observe, capture, and test your CPU time for

Jake GitHub Action play project The Dockerfile in this project generates a list of conda packages for use by Jake docker build -t conda-list docker run conda-list > packageslist The openssl package has a vulnerability (CVE-2019-0190) that appears in all versions So for now, I've removed openssl from the packageslist file openssl 111h