In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache http server |
||
fedoraproject fedora 29 |
||
fedoraproject fedora 30 |
||
canonical ubuntu linux 16.04 |
||
canonical ubuntu linux 14.04 |
||
canonical ubuntu linux 18.04 |
||
canonical ubuntu linux 18.10 |
||
debian debian linux 9.0 |
||
opensuse leap 42.3 |
||
opensuse leap 15.0 |
Rogue 'worker' processes can sneak in with elevated privileges at startup LibreOffice patches malicious code-execution bug, Apache OpenOffice – wait for it, wait for it – doesn't
Apache HTTP Server has been given a patch to address a potentially serious elevation of privilege vulnerability. Designated CVE-2019-0211, the flaw allows a "worker" process to change its privileges when the host server resets itself, potentially allowing anyone with a local account to run commands with root clearance, essentially giving them complete control over the targeted machine. The bug was discovered by researcher Charles Fol of security shop Ambionics, who privately reported the issue t...