Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3133 Apache HTTP Server 2.4.41 released 16 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: httpd Publisher: Apache Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-10098 CVE-2019-10097 CVE-2019-10092 CVE-2019-10082 CVE-2019-10081 CVE-2019-9517 Original Bulletin: https://lists.apache.org/thread.html/be1e153d17bb9e32d43a38f176d93bf8a9f7568f5c8f3f5e5ebf76cd@%3Cannounce.httpd.apache.org%3E https://httpd.apache.org/security/vulnerabilities_24.html - --------------------------BEGIN INCLUDED TEXT-------------------- Apache HTTP Server 2.4.41 Released August 14, 2019 The Apache Software Foundation and the Apache HTTP Server Project are pleased to announce the release of version 2.4.41 of the Apache HTTP Server ("Apache"). This version of Apache is our latest GA release of the new generation 2.4.x branch of Apache HTTPD and represents fifteen years of innovation by the project, and is recommended over all previous releases. This release of Apache is a security and bug fix release. We consider this release to be the best version of Apache available, and encourage users of all prior versions to upgrade. Apache HTTP Server 2.4.41 is available for download from: https://httpd.apache.org/download.cgi Apache 2.4 offers numerous enhancements, improvements, and performance boosts over the 2.2 codebase. For an overview of new features introduced since 2.4 please see: https://httpd.apache.org/docs/trunk/new_features_2_4.html Please see the CHANGES_2.4 file, linked from the download page, for a full list of changes. A condensed list, CHANGES_2.4.41 includes only those changes introduced since the prior 2.4 release. A summary of all of the security vulnerabilities addressed in this and earlier releases is available: https://httpd.apache.org/security/vulnerabilities_24.html This release requires the Apache Portable Runtime (APR), minimum version 1.5.x, and APR-Util, minimum version 1.5.x. Some features may require the 1.6.x version of both APR and APR-Util. The APR libraries must be upgraded for all features of httpd to operate correctly. This release builds on and extends the Apache 2.2 API. Modules written for Apache 2.2 will need to be recompiled in order to run with Apache 2.4, and require minimal or no source code changes. https://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING When upgrading or installing this version of Apache, please bear in mind that if you intend to use Apache with one of the threaded MPMs (other than the Prefork MPM), you must ensure that any modules you will be using (and the libraries they depend on) are thread-safe. Please note the 2.2.x branch has now passed the end of life at the Apache HTTP Server project and no further activity will occur including security patches. Users must promptly complete their transitions to this 2.4.x release of httpd to benefit from further bug fixes or new features. - -------------------------------------------------------------------------------- Fixed in Apache httpd 2.4.41 low: Limited cross-site scripting in mod_proxy error page (CVE-2019-10092) A limited cross-site scripting issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malfomed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed. We have taken this opportunity to also remove request data from many other in-built error messages. Note however this issue did not affect them directly and their output was already escaped to prevent cross-site scripting attacks. Acknowledgements: This issue was reported by Matei "Mal" Badanoiu Reported to 9th July 2019 security team Issue 14th August 2019 public Update 14th August 2019 Released 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, Affects 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0 low: mod_rewrite potential open redirect (CVE-2019-10098) Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. Acknowledgements: The issue was discovered by Yukitsugu Sasaki Reported to 26th March 2019 security team Issue 14th August 2019 public Update 14th August 2019 Released 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, Affects 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1, 2.4.0 moderate: mod_http2, read-after-free in h2 connection shutdown (CVE-2019-10082) Using fuzzed network input, the http/2 session handling could be made to read memory after being freed, during connection shutdown. Acknowledgements: The issue was discovered by Craig Young of Tripwire VERT, <vuln-report@secur3.us>. Reported to 12th April 2019 security team Issue public 14th August 2019 Update 14th August 2019 Released 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.32, Affects 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18 moderate: mod_http2, memory corruption on early pushes (CVE-2019-10081) HTTP/2 very early pushes, for example configured with "H2PushResource", could lead to an overwrite of memory in the pushing request's pool, leading to crashes. The memory copied is that of the configured push link header values, not data supplied by the client. Acknowledgements: The issue was discovered by Craig Young of Tripwire VERT, <vuln-report@secur3.us>. Reported to 10th April 2019 security team Issue public 14th August 2019 Update 14th August 2019 Released Affects 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.32, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20 moderate: mod_http2, DoS attack by exhausting h2 workers. (CVE-2019-9517) A malicious client could perform a DoS attack by flooding a connection with requests and basically never reading responses on the TCP connection. Depending on h2 worker dimensioning, it was possible to block those with relatively few connections. Acknowledgements: The issue was discovered by Jonathan Looney of Netflix. Reported to 10th April 2019 security team Issue public 14th August 2019 Update 14th August 2019 Released Affects 2.4.39, 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.32, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20 moderate: CVE-2019-10097 mod_remoteip: Stack buffer overflow and NULL pointer dereference (CVE-2019-10097) When mod_remoteip was configured to use a trusted intermediary proxy server using the "PROXY" protocol, a specially crafted PROXY header could trigger a stack buffer overflow or NULL pointer deference. This vulnerability could only be triggered by a trusted proxy and not by untrusted HTTP clients. Acknowledgements: The issue was discovered by Daniel McCarney <cpu@letsencrypt.org> Let's Encrypt / Internet Security Research Group (ISRG) Reported to security team 23rd July 2019 Issue public 14th August 2019 Update Released 14th August 2019 Affects 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXVX5YGaOgq3Tt24GAQievRAAnE6RC3RGXceSqPygJYg76UZsjytp/sqP RkAimUHjyk+6fbiAxXpMCVnq1URJfskqEKXDosxep8ZPt+BxU5z02GZZTMGlnwXy 9Tir5ucvtvv2+e3+614vfojuGFiVQPxiN5iDJ6zTXI+I5526G+u0T0xgM6JKzTD7 M892H+gBT8mophG/+ybHDQHjjOCX8f3w8G0hpCj6sxZZgRUxzvyNAXDRVPF5Kj0t zhzV+hPtTBVX0LHSZw/GElXgnxX1a7U/xUEIf0/CqMGdle5eX+bfHNWUAHrg6F2B wyVaOP3oGZKa/2bFosaoLrPx+Bu5EOu4/0N89MlQ3zfao6+tbx0c4oC/cAU/u4vh WxsLMH8wDDNvTFQQ1PGXOna7xxgrFiwgcdh9RPu7GKj9vpuduDUU9gTiot95bKGX FXtDWzLihBEme+l9U32DaDKsYxPw43nXXoWRhZ4tFxAseuxzHRuppZ6CeAXvwIF8 8jUeZyGjF6Z/c5i8+X8hM6vGyZHejEAZZu+dVT5/auDkpzfFrO4cMYprDxOOU83u 82eZLGg2nPUhf6dwKw5MB7F/WyXJgNiIozsjU+rDI2pfybc0qmzBh6T9KDHfPjfL IwkbR7CHgP5J1JqFUwmZPfw8SGfpnycqJUM1OFe1it1aPRNdSy74G+JXjdGqCbsi K4/LN4aa2d4= =lRBw -----END PGP SIGNATURE-----