Arch Linux Security Advisory ASA-201901-14

Severity: High
Date : 2019-01-24
CVE-ID : CVE-2018-17189 CVE-2018-17199 CVE-2019-0190
Package : apache
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-857

Summary

The package apache before version 2.4.38-1 is vulnerable to multiple
issues including denial of service and insufficient validation.

Resolution

Upgrade to 2.4.38-1.

pacman -Syu “apache>=2.4.38-1”

The problems have been fixed upstream in version 2.4.38.

Workaround

• CVE-2018-17189

Disable the h2 protocol.

Description

• CVE-2018-17189 (denial of service)

By sending request bodies in a slow loris way to plain resources, the
h2 stream of Apache HTTP Server before 2.4.38 for that request
unnecessarily occupied a server thread cleaning up that incoming data.
This affects only HTTP/2 connections. A possible mitigation is to not
enable the h2 protocol.

• CVE-2018-17199 (insufficient validation)

In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks
the session expiry time before decoding the session. This causes
session expiry time to be ignored for mod_session_cookie sessions since
the expiry time is loaded when the session is decoded.

• CVE-2019-0190 (denial of service)

A bug exists in the way mod_ssl handled client renegotiations. A remote
attacker could send a carefully crafted request that would cause
mod_ssl to enter a loop leading to a denial of service. This bug can be
only triggered with Apache HTTP Server version 2.4.37 when using
OpenSSL version 1.1.1 or later, due to an interaction in changes to
handling of renegotiation attempts.

Impact

An attacker is able to crash the Apache server by sending maliciously-
crafted h2 requests and SSL handshakes. In addition, an attacker is
able to reuse an expired session.

References

https://httpd.apache.org/security/vulnerabilities_24.html#2.4.38
https://security.archlinux.org/CVE-2018-17189
https://security.archlinux.org/CVE-2018-17199
https://security.archlinux.org/CVE-2019-0190