ESB-2019.1150.2 - UPDATE [Ubuntu] apache: Multiple vulnerabilities 2019-04-11

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2019.1150.2
              USN-3937-1: Apache HTTP Server vulnerabilities
                               11 April 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           apache
Publisher:         Ubuntu
Operating System:  Ubuntu
Impact/Access:     Root Compromise        -- Existing Account      
                   Access Privileged Data -- Remote/Unauthenticated
                   Denial of Service      -- Remote/Unauthenticated
                   Unauthorised Access    -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-0220 CVE-2019-0217 CVE-2019-0211
                   CVE-2019-0196 CVE-2018-17199 CVE-2018-17189
                   CVE-2018-1312 CVE-2018-1301 CVE-2017-15710

Reference:         ESB-2019.1129

Original Bulletin: 
   https://usn.ubuntu.com/3937-1/
   https://usn.ubuntu.com/3937-2/

Comment: This bulletin contains two (2) Ubuntu security advisories.

Revision History:  April 11 2019: This update provides the corresponding 
                                  update for Ubuntu 12.04 ESM.
                   April  5 2019: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

USN-3937-1: Apache HTTP Server vulnerabilities
4 April 2019

apache2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  o Ubuntu 18.10
  o Ubuntu 18.04 LTS
  o Ubuntu 16.04 LTS
  o Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the Apache HTTP Server.

Software Description

  o apache2 - Apache HTTP server

Details

Charles Fol discovered that the Apache HTTP Server incorrectly handled the
scoreboard shared memory area. A remote attacker able to upload and run scripts
could possibly use this issue to execute arbitrary code with root privileges.
(CVE-2019-0211)

It was discovered that the Apache HTTP Server HTTP/2 module incorrectly handled
certain requests. A remote attacker could possibly use this issue to cause the
server to consume resources, leading to a denial of service. This issue only
affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-17189)

It was discovered that the Apache HTTP Server incorrectly handled session
expiry times. When used with mod_session_cookie, this may result in the session
expiry time to be ignored, contrary to expectations. (CVE-2018-17199)

Craig Young discovered that the Apache HTTP Server HTTP/2 module incorrectly
handled certain requests. A remote attacker could possibly use this issue to
cause the server to process requests incorrectly. This issue only affected
Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2019-0196)

Simon Kappel discovered that the Apache HTTP Server mod_auth_digest module
incorrectly handled threads. A remote attacker with valid credentials could
possibly use this issue to authenticate using another username, bypassing
access control restrictions. (CVE-2019-0217)

Bernhard Lorenz discovered that the Apache HTTP Server was inconsistent when
processing requests containing multiple consecutive slashes. This could lead to
directives such as LocationMatch and RewriteRule to perform contrary to
expectations. (CVE-2019-0220)

Update instructions

The problem can be corrected by updating your system to the following package
versions:

Ubuntu 18.10
    apache2-bin - 2.4.34-1ubuntu2.1
Ubuntu 18.04 LTS
    apache2-bin - 2.4.29-1ubuntu4.6
Ubuntu 16.04 LTS
    apache2-bin - 2.4.18-2ubuntu3.10
Ubuntu 14.04 LTS
    apache2-bin - 2.4.7-1ubuntu4.22

To update your system, please follow these instructions: https://
wiki.ubuntu.com/Security/Upgrades .

In general, a standard system update will make all the necessary changes.

References

  o CVE-2018-17189
  o CVE-2018-17199
  o CVE-2019-0196
  o CVE-2019-0211
  o CVE-2019-0217
  o CVE-2019-0220

================================================================================


==========================================================================
Ubuntu Security Notice USN-3937-2
April 10, 2019

apache2 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- - Ubuntu 12.04 ESM

Summary:

Several security issues were fixed in Apache.

Software Description:
- - apache2: Apache HTTP server

Details:

USN-3937-1 and USN-3627-1 fixed several vulnerabilities in Apache.
This update provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

  Simon Kappel discovered that the Apache HTTP Server mod_auth_digest
  module incorrectly handled threads. A remote attacker with valid
  credentials could possibly use this issue to authenticate using
  another username, bypassing access control restrictions.  
  (CVE-2019-0217)

  Alex Nichols and Jakob Hirsch discovered that the Apache HTTP Server
  mod_authnz_ldap module incorrectly handled missing charset encoding
  headers. A remote attacker could possibly use this issue to cause the
  server to crash, resulting in a denial of service. (CVE-2017-15710)

  Robert Swiecki discovered that the Apache HTTP Server incorrectly
  handled certain requests. A remote attacker could possibly use this
  issue to cause the server to crash, leading to a denial of service.
  (CVE-2018-1301)

  Nicolas Daniels discovered that the Apache HTTP Server incorrectly
  generated the nonce when creating HTTP Digest authentication
  challenges. A remote attacker could possibly use this issue to replay
  HTTP requests across a cluster of servers.
  (CVE-2018-1312)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 12.04 ESM:
   apache2.2-bin                                      2.2.22-1ubuntu1.15

In general, a standard system update will make all the necessary
changes.

References:
   https://usn.ubuntu.com/usn/usn-3937-2
   https://usn.ubuntu.com/usn/usn-3937-1
   CVE-2017-15710, CVE-2018-1301, CVE-2018-1312, CVE-2019-0217

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXK6tXmaOgq3Tt24GAQgVshAA1aEFoTth/JzHxquDQCQFaxIcqOuBzhA6
l2VmNpaJfPGWqphiQNGCmOmR1BGi0u14Xgqu1qSk2KWILJHhIhUjRZNFh9KNwhVr
1+RRFTsX26kpPjngAfzTj3Nyqk3bOPeuHzYTiN9FZyAy7YgcbkseuYJtJayTez24
EwUPFCF77C8IFHBYJwjzlq1Bn7FK5kGN9VvxwcDzdEpoOzuUPvZRo3xepi0HYnZW
Xku8Vvx87tdwNSKuADwLhMN8DFpXdCTvqpbd81CYffLU2f82u9RXkP3sbRwoSdq3
ZPYu3MVUq9MoTf4SdSq4xr8HZsQ5V2sxlt3XQbIQ3MdLyAgO6IUgOAaNZv7kHrsy
zjxPLE/w+9F9KZ05SVk9wdzLVI1u+fsxZI7vwDzHujq4G/+bPfwhMla7e4N5t9gd
MNuQqgbY6acIlkpAUKBHwy3f9zY5GR3fkE4u13gHE5ppCti+eKWgJothCZp2+Hbw
OWLHQFA7yX+Txa+qfYCmAgHiK1Oo1sYShDSoZx1ObJkwXOr+hK5xBSPtGD7ICYo+
twYS0DOuF1tzB6nypqIY6ChoTvvOEnrlBlTKSboya6CFOVBZPLRtFHh1id4VVEbJ
zwu55CsNvy08lupJpTNvtqMbdxD7Z/iAVPdMdcFvKw/9cCpnVVTxX7QollzfcNHD
IAdioOARstM=
=EBFM
-----END PGP SIGNATURE-----

« Back to bulletins