Published on Thursday, 04 April 2019 13:57
A security researcher has discovered a critical privilege escalation vulnerability (CVE-2019-0211) affecting the Apache web server utilising the Multi-Processing Module (MPM), worker or prefork.
Apache HTTP Server versions 2.4.17 - 2.4.38
Note: Non-Unix operating systems (i.e. Microsoft Windows) are not affected.
The code in less-privileged child processes or threads, including scripts executed by an in-process scripting interpreter, could execute arbitrary code with the privileges of the parent process (typically "root") by manipulating the Apache scoreboard, a data structure that keeps track of server activity.
Administrators of Apache HTTP servers with Unix OS running MPM, worker or prefork, should upgrade to the latest version 2.4.39 or later.