Apache HTTP Server CVE-2019-0211 Local Privilege Escalation Vulnerability

2019-04-01T00:00:00
ID SMNTC-107666
Type symantec
Reporter Symantec Security Response
Modified 2019-04-01T00:00:00

Description

Description

Apache HTTP Server is prone to a local privilege-escalation vulnerability. An attacker can exploit this issue to gain elevated privileges on the affected application. Apache HTTP Server versions 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, and 2.4.17 are vulnerable.

Technologies Affected

  • Apache Apache 2.4.17
  • Apache Apache 2.4.18
  • Apache Apache 2.4.20
  • Apache Apache 2.4.23
  • Apache Apache 2.4.25
  • Apache Apache 2.4.26
  • Apache Apache 2.4.27
  • Apache Apache 2.4.28
  • Apache Apache 2.4.29
  • Apache Apache 2.4.30
  • Apache Apache 2.4.33
  • Apache Apache 2.4.34
  • Apache Apache 2.4.35
  • Apache Apache 2.4.37
  • Apache Apache 2.4.38
  • Oracle Enterprise Manager Ops Center 12.3.3
  • Oracle Enterprise Manager Ops Center 12.4.0
  • Oracle HTTP Server 12.2.1.3.0
  • Oracle Instantis EnterpriseTrack 17.1
  • Oracle Instantis EnterpriseTrack 17.2
  • Oracle Instantis EnterpriseTrack 17.3
  • Oracle Retail Xstore Point of Service 7.0
  • Oracle Retail Xstore Point of Service 7.1

Recommendations

Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.
Given the nature of this issue, allow only trusted and accountable users to have local, interactive access to vulnerable computers.

Updates are available. Please see the references or vendor advisory for more information.