Apache HTTP Server Vulnerabilities Jan 2019 - Apr 2020
Summary
Symantec Web Security Group (WSG) products using affected versions of Apache HTTP Server may be susceptible to multiple vulnerabilities. A remote attacker can bypass security controls, modify the behavior of HTTP Server configuration, obtain information from the server process memory, perform XSS attacks, and cause denial of service. A local low-privileged attacker can escalate their privileges on the system.
Affected Product(s)
The following products and product versions are vulnerable to the CVEs listed. If a CVE is not listed, the product or version is not known to be vulnerable to it.
|
Content Analysis (CA) |
||
|
CVE |
Supported Version(s) |
Remediation |
|
CVE-2019-10098, CVE-2019-0220
|
2.3 |
Upgrade to later release with fixes. |
|
2.4, 3.0 |
Remediation is not available at this time. |
|
|
3.1 |
Upgrade to 3.1.3.2. |
|
|
CVE-2020-1927
|
2.3, 2.4 |
Not vulnerable |
|
3.0 |
Remediation is not available at this time. |
|
|
3.1 |
Upgrade to 3.1.3.2. |
|
|
Security Analytics (SA) |
||
|
CVE |
Supported Version(s) |
Remediation |
|
CVE-2019-0211 |
7.2, 7.3, 8.0 |
Upgrade to later release with fixes. |
|
8.1 |
Not vulnerable, remediation available in 8.1.1. |
|
Additional Product Information
CVE-2019-0211 is exploitable in Security Analytics (SA) only when an authenticated web UI user can create and execute custom Lua scripts for data enrichment workflows. The web UI user must belong to a group that has permissions to modify data enrichment settings and create/edit rules.
The following products are not vulnerable:
Advanced Secure Gateway (ASG)
AuthConnector
BCAAA
General Auth Connector Login Application
HSM Agent
Integrated Secure Gateway (ISG)
Management Center (MC)
PacketShaper (PS) S-Series
PolicyCenter (PC) S-Series
ProxySG
Reporter
SSL Visibility
Symantec Messaging Gateway (SMG)
Unified Agent
Web Isolation (WI)
WSS Agent
WSS Mobile Agent
Issue Details
|
CVE-2018-17189 |
|
|
Severity / CVSS v3.x: |
Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) |
|
References: |
NVD: CVE-2018-17189 |
|
Impact: |
Denial of service |
|
Description: |
A flaw in the mod_http2 module allows a remote attacker to send crafted HTTP/2 requests and cause denial of service by occupying a server thread. |
|
CVE-2018-17199 |
|
|
Severity / CVSS v3.x: |
High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) |
|
References: |
NVD: CVE-2018-17199 |
|
Impact: |
Security control bypass |
|
Description: |
A flaw in the mod_session module allows a remote attacker to bypass the session expiry check for sessions stored in HTTP cookies. |
|
CVE-2019-0190 |
|
|
Severity / CVSS v3.x: |
High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
|
References: |
NVD: CVE-2019-0190 |
|
Impact: |
Denial of service |
|
Description: |
A flaw in mod_ssl client renegotiation handling allows a remote attacker to send a crafted request and cause denial of service through excessive CPU consumption. |
|
CVE-2019-0196 |
|
|
Severity / CVSS v3.x: |
Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) |
|
References: |
NVD: CVE-2019-0196 |
|
Impact: |
Denial of service |
|
Description: |
A flaw in the mod_http2 module allows a remote attacker to send crafted HTTP/2 requests and cause denial of service through invalid memory read access. |
|
CVE-2019-0197 |
|
|
Severity / CVSS v3.x: |
Medium / 4.2 (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L) |
|
References: |
NVD: CVE-2019-0197 |
|
Impact: |
Denial of service, unauthorized modification |
|
Description: |
A flaw in the mod_http2 module allows a remote attacker to upgrade HTTP 1.1 connections to HTTP/2 and cause misconfiguration and denial of service through application crashes. |
|
CVE-2019-0211 |
|
|
Severity / CVSS v3.x: |
High / 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) |
|
References: |
NVD: CVE-2019-0211 |
|
Impact: |
Privilege escalation |
|
Description: |
A flaw in process and thread handling allows an attacker who can execute low-privileged arbitrary code on the web server to escalate their privileges on the system. To execute arbitrary code, the attacker must have local access or the web server must allow clients to upload arbitrary code for execution. |
|
CVE-2019-0215 |
|
|
Severity / CVSS v3.x: |
High / 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) |
|
References: |
NVD: CVE-2019-0215 |
|
Impact: |
Security control bypass |
|
Description: |
A flaw in the mod_ssl module allows a remote attacker to bypass access control restrictions that use client certificate authentication in TLS 1.3 connections. |
|
CVE-2019-0217 |
|
|
Severity / CVSS v3.x: |
High / 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) |
|
References: |
NVD: CVE-2019-0217 |
|
Impact: |
Security control bypass |
|
Description: |
A flaw in the mod_auth_digest module allows a remote attacker with valid credentials to authenticate using a different username and bypass access control restrictions. |
|
CVE-2019-0220 |
|
|
Severity / CVSS v3.x: |
Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |
|
References: |
NVD: CVE-2019-0220 |
|
Impact: |
Unauthorized modification |
|
Description: |
A flaw in request handling allows a remote attacker to send crafted requests with multiple slashes ('/') in the URL path component and modify the behavior of configuration directives that match URL path components against regular expressions. |
|
CVE-2019-9517 |
|
|
Severity / CVSS v3.x: |
High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
|
References: |
NVD: CVE-2019-9517 |
|
Impact: |
Denial of service |
|
Description: |
A flaw in the mod_http2 module allows a remote attacker to send requests for large objects and cause denial of service through excessive CPU and/or memory consumption. |
|
CVE-2019-10081 |
|
|
Severity / CVSS v3.x: |
High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
|
References: |
NVD: CVE-2019-10081 |
|
Impact: |
Denial of service |
|
Description: |
A flaw in the mod_http2 module allows a remote attacker to send requests that trigger the HTTP/2 server push functionality and cause denial of service through memory corruption and application crashes. Server Push is a feature of the HTTP/2 protocol that allows the web server to push additional objects to the client when the client requests a different but related object. |
|
CVE-2019-10082 |
|
|
Severity / CVSS v3.x: |
Critical / 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) |
|
References: |
NVD: CVE-2019-10082 |
|
Impact: |
Denial of service |
|
Description: |
A flaw in the mod_http2 module allows a remote attacker to send requests that trigger read-after-free memory accesses and cause denial of service through application crashes. |
|
CVE-2019-10092 |
|
|
Severity / CVSS v3.x: |
Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |
|
References: |
NVD: CVE-2019-10092 |
|
Impact: |
Cross-site scripting (XSS) |
|
Description: |
A flaw in the mod_proxy module allows a remote attacker to target a web server user with a crafted link and execute arbitrary code in the user's web browser. The web server must have proxying enabled and be misconfigured in order to show a proxy error page. |
|
CVE-2019-10097 |
|
|
Severity / CVSS v3.x: |
High / 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) |
|
References: |
NVD: CVE-2019-10097 |
|
Impact: |
Denial of service |
|
Description: |
A flaw in the mod_remoteip module allows a malicious downstream proxy to send crafted PROXY headers and cause denial of service through memory corruption and application crashes. |
|
CVE-2019-10098 |
|
|
Severity / CVSS v3.x: |
Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |
|
References: |
NVD: CVE-2019-10098 |
|
Impact: |
Open redirection |
|
Description: |
A flaw in the mod_rewrite module allows a remote attacker to target a web server user with crafted links and redirect the user's web browser to an arbitrary URL. This vulnerability is different from CVE-2020-1927. |
|
CVE-2020-1927 |
|
|
Severity / CVSS v3.x: |
Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |
|
References: |
NVD: CVE-2020-1927 |
|
Impact: |
Open redirection |
|
Description: |
A flaw in the mod_rewrite module allows a remote attacker to target a web server user with crafted links and redirect the user's web browser to an arbitrary URL. This vulnerability is different from CVE-2019-10098. |
|
CVE-2020-1934 |
|
|
Severity / CVSS v3.x: |
Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |
|
References: |
NVD: CVE-2020-1934 |
|
Impact: |
Information disclosure |
|
Description: |
A flaw in the mod_proxy_ftp module allows a remote attacker to connect through the web server to a malicious FTP server and obtain limited contents from the web server process' memory. The target web server must be configured to act as a proxy to a malicious FTP server. |
References
Apache 2.4 Security Vulnerabilities - http://httpd.apache.org/security/vulnerabilities_24.html
Revisions
2022-06-09 Integrated Secure Gateway (ISG) is not vulnerable.
2022-02-16 A fix for CA 3.1 is available in 3.1.3.2.
2021-07-15 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-04-26 PacketShaper (PS) S-Series and PolicyCenter (PC) S-Series are not vulnerable.
2021-02-18 A fix for CA 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-12-09 A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-12 Content Analysis 3.1 is vulnerable.
2020-06-18 initial public release