7.2
CVSSv2

CVE-2019-0211

Published: 08/04/2019 Updated: 11/06/2019
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 726
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

A vulnerability in the Apache HTTP Server could allow a local malicious user to execute arbitrary code on a targeted system. The vulnerability exists because worker or prefork MPM events mishandle code that is executed in less-privileged child processes or threads. An attacker could exploit this vulnerability by accessing the system and manipulating the scoreboard used for parent and child inter-communications. A successful exploit could allow the malicious user to execute arbitrary code in the security context of the parent process, which is typically root. Apache has confirmed the vulnerability and released software updates.

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheHttp Server2.4.17, 2.4.18, 2.4.19, 2.4.20, 2.4.21, 2.4.22, 2.4.23, 2.4.24, 2.4.25, 2.4.26, 2.4.27, 2.4.28, 2.4.29, 2.4.30, 2.4.32, 2.4.33, 2.4.34, 2.4.35, 2.4.36, 2.4.37, 2.4.38
CanonicalUbuntu Linux14.04, 16.04, 18.04, 18.10
DebianDebian Linux9.0
FedoraprojectFedora29, 30
OpensuseLeap15.0, 42.3

Vendor Advisories

Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2429 SP2 security update Type/Severity Security Advisory: Important Topic Red Hat JBoss Core Services Pack Apache Server 2429 Service Pack 2 zip release for RHEL 6 and RHEL 7 is availableRed Hat Product Security has rated this release a ...
Synopsis Important: httpd:24 security update Type/Severity Security Advisory: Important Topic An update for the httpd:24 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CV ...
Synopsis Important: httpd24-httpd and httpd24-mod_auth_mellon security update Type/Severity Security Advisory: Important Topic An update for httpd24-httpd and httpd24-mod_auth_mellon is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact ...
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2429 SP2 security update Type/Severity Security Advisory: Important Topic An update is now available for JBoss Core Services on RHEL 6 and RHEL 7Red Hat Product Security has rated this update as having a security impact of Important A Co ...
In Apache HTTP Server with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard (CVE-2019-0211 ) ...
Synopsis Important: Red Hat JBoss Core Services Apache HTTP Server 2429 SP2 security update Type/Severity Security Advisory: Important Topic Red Hat JBoss Core Services Pack Apache Server 2429 Service Pack 2 packages for Microsoft Windows and Oracle Solaris are now availableRed Hat Product Security has ...
In Apache HTTP Server with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard (CVE-2019-0211 ) ...
Severity Unknown Remote Unknown Type Unknown Description AVG-946 apache 2438-1 2439-1 Medium Testing ...
Several security issues were fixed in the Apache HTTP Server ...
Several vulnerabilities have been found in the Apache HTTP server CVE-2018-17189 Gal Goldshtein of F5 Networks discovered a denial of service vulnerability in mod_http2 By sending malformed requests, the http/2 stream for that request unnecessarily occupied a server thread cleaning up incoming data, resulting in denial of service ...
There are multiple vulnerabilities in the IBM HTTP Server used by WebSphere Application Server CVE-2019-0211 affects version 9 non-windows platforms only ...
Debian Bug report logs - #920303 apache2: CVE-2018-17199: mod_session_cookie does not respect expiry time Package: src:apache2; Maintainer for src:apache2 is Debian Apache Maintainers <debian-apache@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 23 Jan 2019 20:36:02 UTC Severity: ...
Debian Bug report logs - #920302 apache2: CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies Package: src:apache2; Maintainer for src:apache2 is Debian Apache Maintainers <debian-apache@listsdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 23 Jan 2019 20:33:05 UTC Severity: ...
There are multiple vulnerabilities in the IBM HTTP Server used by WebSphere Application Server Apache HTTP Server could provide weaker than expected security, caused by URL normalization inconsistencies Apache HTTP Server could allow a local authenticated attacker to gain elevated privileges on the system ...

Exploits

<?php # CARPE (DIEM): CVE-2019-0211 Apache Root Privilege Escalation # Charles Fol # @cfreal_ # 2019-04-08 # # INFOS # # cfrealgithubio/carpe-diem-cve-2019-0211-apache-local-roothtml # # USAGE # # 1 Upload exploit to Apache HTTP server # 2 Send request to page # 3 Await 6:25AM for logrotate to restart Apache # 4 python35 is now s ...

Mailing Lists

Apache versions 2417 up to 2438 apache2ctl graceful logrotate local privilege escalation exploit ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] httpd (SSA:2019-096-01) New httpd packages are available for Slackware 140, 141, 142, and -current to fix a security issue Here are the details from the Slackware 142 ChangeLog: +--------------------------+ patches/packages/httpd-2439-i586-1_slack142txz: Upgraded T ...
CVE-2019-0211: Apache HTTP Server privilege escalation from modules' scripts Severity: important Vendor: The Apache Software Foundation Versions Affected: httpd 2417 to 2438 Description: In Apache HTTP Server 24 releases 2417 to 2438, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (inclu ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4422-1 security () debian org wwwdebianorg/security/ Stefan Fritsch April 03, 2019 wwwdebianorg/security/faq ...

Github Repositories

Exploits Some of my exploits

数据年报 数据月报-3月 201904 信息源与信息类型占比 微信公众号 推荐 nickname_english weixin_no url title 国防科技要闻 CDSTIC mpweixinqqcom/s/LXR853Z4E5peVYq89tXKZA DARPA 2020财年研发预算 人工智能应用研究投资急剧增长 天融信阿尔法实验室 mpweixinqqcom/s/kwp5uxom7Amrj6S_-g8r4Q 天融信

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

A patchy Apache a-patchin: HTTP server gets fix for worrying root access hole
The Register • Shaun Nichols in San Francisco • 03 Apr 2019

Rogue 'worker' processes can sneak in with elevated privileges at startup

Apache HTTP Server has been given a patch to address a potentially serious elevation of privilege vulnerability.
Designated CVE-2019-0211, the flaw allows a "worker" process to change its privileges when the host server resets itself, potentially allowing anyone with a local account to run commands with root clearance, essentially giving them complete control over the targeted machine.
The bug was discovered by researcher Charles Fol of security shop Ambionics, who privately reported...

Apache Bug Lets Normal Users Gain Root Access Via Scripts
BleepingComputer • Sergiu Gatlan • 02 Apr 2019

A privilege escalation vulnerability of important severity in the Apache HTTP server allowing users with the right to write and run scripts to gain root on Unix systems was fixed in Apache httpd 2.4.39.
As detailed in the changelog, tracked as CVE-2019-0211, impacts all Apache HTTP Server releases from 2.4.17 to 2.4.38 and it makes it possible to execute arbitrary code via scoreboard manipulation.
Mark J. Cox, Apache Software Foundation and the OpenSSL project founding member, exp...

References

CWE-264http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00051.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-04/msg00061.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-04/msg00084.htmlhttp://packetstormsecurity.com/files/152386/Apache-2.4.38-Root-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/152415/Slackware-Security-Advisory-httpd-Updates.htmlhttp://packetstormsecurity.com/files/152441/CARPE-DIEM-Apache-2.4.x-Local-Privilege-Escalation.htmlhttp://www.apache.org/dist/httpd/CHANGES_2.4.39http://www.openwall.com/lists/oss-security/2019/04/02/3http://www.securityfocus.com/bid/107666https://access.redhat.com/errata/RHBA-2019:0959https://access.redhat.com/errata/RHSA-2019:0746https://access.redhat.com/errata/RHSA-2019:0980https://access.redhat.com/errata/RHSA-2019:1296https://access.redhat.com/errata/RHSA-2019:1297https://access.redhat.com/errata/RHSA-2019:1543https://httpd.apache.org/security/vulnerabilities_24.htmlhttps://lists.apache.org/thread.html/890507b85c30adf133216b299cc35cd8cd0346a885acfc671c04694e@%3Cdev.community.apache.org%3Ehttps://lists.apache.org/thread.html/b1613d44ec364c87bb7ee8c5939949f9b061c05c06e0e90098ebf7aa@%3Cusers.httpd.apache.org%3Ehttps://lists.apache.org/thread.html/b2bdb308dc015e771ba79c0586b2de6fb50caa98b109833f5d4daf28@%3Cdev.community.apache.org%3Ehttps://lists.apache.org/thread.html/de881a130bc9cb2f3a9ff220784520556884fb8ea80e69400a45509e@%3Cdev.community.apache.org%3Ehttps://lists.apache.org/thread.html/fd110f4ace2d8364c7d9190e1993cde92f79e4eb85576ed9285686ac@%3Ccvs.httpd.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ALIR5S3O7NRHEGFMIDMUSYQIZOE4TJJN/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZRMTEIGZKYFNGIDOTXN3GNEJTLVCYU7/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WETXNQWNQLWHV6XNW6YTO5UGDTIWAQGT/https://seclists.org/bugtraq/2019/Apr/16https://seclists.org/bugtraq/2019/Apr/5https://security.gentoo.org/glsa/201904-20https://security.netapp.com/advisory/ntap-20190423-0001/https://support.f5.com/csp/article/K32957101https://usn.ubuntu.com/3937-1/https://www.debian.org/security/2019/dsa-4422https://www.exploit-db.com/exploits/46676/https://www.synology.com/security/advisory/Synology_SA_19_14https://www.rapid7.com/db/vulnerabilities/debian-cve-2019-0211https://www.exploit-db.com/exploits/46676https://nvd.nist.govhttps://usn.ubuntu.com/3937-1/https://tools.cisco.com/security/center/viewAlert.x?alertId=59917