Apache HTTP Server Vulnerabilities Jan 2019 - Apr 2020

Summary

Symantec Web Security Group (WSG) products using affected versions of Apache HTTP Server may be susceptible to multiple vulnerabilities. A remote attacker can bypass security controls, modify the behavior of HTTP Server configuration, obtain information from the server process memory, perform XSS attacks, and cause denial of service. A local low-privileged attacker can escalate their privileges on the system.

Affected Product(s)

The following products and product versions are vulnerable to the CVEs listed. If a CVE is not listed, the product or version is not known to be vulnerable to it.

Content Analysis (CA)

---

CVE

|

Supported Version(s)

|

Remediation

CVE-2019-10098, CVE-2019-0220

|

2.3

|

Upgrade to later release with fixes.

2.4, 3.0, 3.1

|

Remediation is not available at this time.

CVE-2020-1927

|

2.3, 2.4

|

Not vulnerable

3.0, 3.1

|

Remediation is not available at this time.

Security Analytics (SA)

---

CVE

|

Supported Version(s)

|

Remediation

CVE-2019-0211

|

7.2, 7.3, 8.0

|

Upgrade to later release with fixes.

8.1

|

Not vulnerable, remediation available in 8.1.1.

Additional Product Information

CVE-2019-0211 is exploitable in Security Analytics (SA) only when an authenticated web UI user can create and execute custom Lua scripts for data enrichment workflows. The web UI user must belong to a group that has permissions to modify data enrichment settings and create/edit rules.

The following products are not vulnerable:
**Advanced Secure Gateway (ASG) ****AuthConnector
BCAAA
General Auth Connector Login Application
HSM Agent
Management Center (MC)
**PacketShaper (PS) S-Series
PolicyCenter (PC) S-Series
ProxySG
Reporter
SSL Visibility
Symantec Messaging Gateway (SMG)
Unified Agent
Web Isolation (WI)
WSS Agent
WSS Mobile Agent

Issue Details

CVE-2018-17189

---

Severity / CVSS v3.x:

|

Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

References:

|

NVD: CVE-2018-17189

Impact:

|

Denial of service

Description:

|

A flaw in the mod_http2 module allows a remote attacker to send crafted HTTP/2 requests and cause denial of service by occupying a server thread.

---

CVE-2018-17199

---

Severity / CVSS v3.x:

|

High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

References:

|

NVD: CVE-2018-17199

Impact:

|

Security control bypass

Description:

|

A flaw in the mod_session module allows a remote attacker to bypass the session expiry check for sessions stored in HTTP cookies.

---

CVE-2019-0190

---

Severity / CVSS v3.x:

|

High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

References:

|

NVD: CVE-2019-0190

Impact:

|

Denial of service

Description:

|

A flaw in mod_ssl client renegotiation handling allows a remote attacker to send a crafted request and cause denial of service through excessive CPU consumption.

---

CVE-2019-0196

---

Severity / CVSS v3.x:

|

Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

References:

|

NVD: CVE-2019-0196

Impact:

|

Denial of service

Description:

|

A flaw in the mod_http2 module allows a remote attacker to send crafted HTTP/2 requests and cause denial of service through invalid memory read access.

---

CVE-2019-0197

---

Severity / CVSS v3.x:

|

Medium / 4.2 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L)

References:

|

NVD: CVE-2019-0197

Impact:

|

Denial of service, unauthorized modification

Description:

|

A flaw in the mod_http2 module allows a remote attacker to upgrade HTTP 1.1 connections to HTTP/2 and cause misconfiguration and denial of service through application crashes.

---

CVE-2019-0211

---

Severity / CVSS v3.x:

|

High / 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

References:

|

NVD: CVE-2019-0211

Impact:

|

Privilege escalation

Description:

|

A flaw in process and thread handling allows an attacker who can execute low-privileged arbitrary code on the web server to escalate their privileges on the system. To execute arbitrary code, the attacker must have local access or the web server must allow clients to upload arbitrary code for execution.

CVE-2019-0215

---

Severity / CVSS v3.x:

|

High / 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

References:

|

NVD: CVE-2019-0215

Impact:

|

Security control bypass

Description:

|

A flaw in the mod_ssl module allows a remote attacker to bypass access control restrictions that use client certificate authentication in TLS 1.3 connections.

CVE-2019-0217

---

Severity / CVSS v3.x:

|

High / 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

References:

|

NVD: CVE-2019-0217

Impact:

|

Security control bypass

Description:

|

A flaw in the mod_auth_digest module allows a remote attacker with valid credentials to authenticate using a different username and bypass access control restrictions.

CVE-2019-0220

---

Severity / CVSS v3.x:

|

Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

References:

|

NVD: CVE-2019-0220

Impact:

|

Unauthorized modification

Description:

|

A flaw in request handling allows a remote attacker to send crafted requests with multiple slashes (‘/’) in the URL path component and modify the behavior of configuration directives that match URL path components against regular expressions.

CVE-2019-9517

---

Severity / CVSS v3.x:

|

High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

References:

|

NVD: CVE-2019-9517

Impact:

|

Denial of service

Description:

|

A flaw in the mod_http2 module allows a remote attacker to send requests for large objects and cause denial of service through excessive CPU and/or memory consumption.

CVE-2019-10081

---

Severity / CVSS v3.x:

|

High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

References:

|

NVD: CVE-2019-10081

Impact:

|

Denial of service

Description:

|

A flaw in the mod_http2 module allows a remote attacker to send requests that trigger the HTTP/2 server push functionality and cause denial of service through memory corruption and application crashes. Server Push is a feature of the HTTP/2 protocol that allows the web server to push additional objects to the client when the client requests a different but related object.

CVE-2019-10082

---

Severity / CVSS v3.x:

|

Critical / 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)

References:

|

NVD: CVE-2019-10082

Impact:

|

Denial of service

Description:

|

A flaw in the mod_http2 module allows a remote attacker to send requests that trigger read-after-free memory accesses and cause denial of service through application crashes.

CVE-2019-10092

---

Severity / CVSS v3.x:

|

Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

References:

|

NVD: CVE-2019-10092

Impact:

|

Cross-site scripting (XSS)

Description:

|

A flaw in the mod_proxy module allows a remote attacker to target a web server user with a crafted link and execute arbitrary code in the user’s web browser. The web server must have proxying enabled and be misconfigured in order to show a proxy error page.

CVE-2019-10097

---

Severity / CVSS v3.x:

|

High / 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

References:

|

NVD: CVE-2019-10097

Impact:

|

Denial of service

Description:

|

A flaw in the mod_remoteip module allows a malicious downstream proxy to send crafted PROXY headers and cause denial of service through memory corruption and application crashes.

CVE-2019-10098

---

Severity / CVSS v3.x:

|

Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

References:

|

NVD: CVE-2019-10098

Impact:

|

Open redirection

Description:

|

A flaw in the mod_rewrite module allows a remote attacker to target a web server user with crafted links and redirect the user’s web browser to an arbitrary URL. This vulnerability is different from CVE-2020-1927.

CVE-2020-1927

---

Severity / CVSS v3.x:

|

Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

References:

|

NVD: CVE-2020-1927

Impact:

|

Open redirection

Description:

|

A flaw in the mod_rewrite module allows a remote attacker to target a web server user with crafted links and redirect the user’s web browser to an arbitrary URL. This vulnerability is different from CVE-2019-10098.

CVE-2020-1934

---

Severity / CVSS v3.x:

|

Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

References:

|

NVD: CVE-2020-1934

Impact:

|

Information disclosure

Description:

|

A flaw in the mod_proxy_ftp module allows a remote attacker to connect through the web server to a malicious FTP server and obtain limited contents from the web server process’ memory. The target web server must be configured to act as a proxy to a malicious FTP server.

References

Apache 2.4 Security Vulnerabilities - <http://httpd.apache.org/security/vulnerabilities_24.html&gt;

Revisions

2021-07-15 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-04-26 PacketShaper (PS) S-Series and PolicyCenter (PC) S-Series are not vulnerable.
2021-02-18 A fix for CA 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-12-09 A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-12 Content Analysis 3.1 is vulnerable.
2020-06-18 initial public release