[SingCERT] Alert on Privilege Escalation Vulnerability (CVE-2019-0211) affecting Apache Web Server

Published on Thursday, 04 April 2019 13:57


A security researcher has discovered a critical privilege escalation vulnerability (CVE-2019-0211) affecting the Apache web server utilising the Multi-Processing Module (MPM), worker or prefork.


Affected Versions

Apache HTTP Server versions 2.4.17 - 2.4.38

Note: Non-Unix operating systems (i.e. Microsoft Windows) are not affected.


The code in less-privileged child processes or threads, including scripts executed by an in-process scripting interpreter, could execute arbitrary code with the privileges of the parent process (typically "root") by manipulating the Apache scoreboard, a data structure that keeps track of server activity.



Administrators of Apache HTTP servers with Unix OS running MPM, worker or prefork, should upgrade to the latest version 2.4.39 or later.