[BlueOnyx:22799] Re: Apache Security Issues - attacker may gain root privileges
Michael Stauber
mstauber at blueonyx.it
Wed Apr 3 12:29:20 -05 2019
Hi Gerrit,
> are you aware of the security issue in apache webserver:
>
> https://httpd.apache.org/security/vulnerabilities_24.html
> (English)
I just went through that list and checked. So this is "only" Apache 2.4,
which means the bugs on that list might affect BlueOnyx 5209R only.
We can ignore the ones related to HTTP/2 or TLSv1.3 as 5209R doesn't
have that. A few of the remaining ones would be nuisances at best, but
CVE-2019-0211 ("privilege escalation") would indeed be kicker. If it
affected us.
Let's see what RedHat's CVE database says about it:
https://access.redhat.com/security/cve/cve-2019-0211
And there it says:
-------------------
Red Hat Enterprise Linux 7 httpd Not affected
Red Hat Enterprise Linux 6 httpd Not affected
Red Hat Enterprise Linux 5 httpd Not affected
It doesn't surprise me, as the RHEL7/CentOS7 Apache 2.4 is based on
Apache 2.4.6 and that's so old that it got a six foot beard. The next
major function/feature leap in the Apache code tree was around
2.4.12/2.4.14 and there were some important major milestones after that.
The absence of the forcefully bolted on HTTP/2 and TLSv1.3 support in
that old Apache fork is a bit of a godsend and RedHat totally missed
that train and the bugs associated with it. /shrug
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list