Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Multiple vulnerabilities in Apache Httpd
Image
Published : 03/04/2019
Reference:
Advisory #2019-008
Version:
1.0
Affected software:
Apache 2.4 versions prior to 2.4.39
Type:
Arbitrary code execution, user access control bypass
CVE/CVSS:
CVE : CVE-2019-0211, CVE-2019-0215, CVE-2019-0217
CVE-Score: 8.2
Sources
https://httpd.apache.org/security/vulnerabilities_24.html
Risks
Users with limited permissions on the server might be able to elevate their privileges using scripts, making it possible to run commands on vulnerable Apache web servers as root.
Description
On Apache HTTP Server 2.4, from version 2.4.17 to 2.4.38, code running secondary processes with lesser privileges could execute arbitrary code with root privileges using manipulation of the scoreboard functionality of its mod_status module.
Non-Unix systems are not affected by this vulnerability.
Two other vulnerabilities, CVE-2019-0215 and CVE-2019-0217, could let a malicious actor bypass configured access control restrictions. All OS are impacted.
Recommended Actions
CERT.be recommends administrators to update their Apache version to the latest available version.