Apache needs a patchy! Carpe Diem, update now

The maintainers of one of the world’s most popular web servers, Apache HTTP Server, have patched a critical vulnerability that could give an attacker a way to gain full ‘root’ admin control on Unix-based systems.

Named ‘Carpe Diem’ by the researcher who discovered it, Ambionics engineer Charles Fol, techies might prefer to first read his account of what is now identified as CVE-2019-0211 rather than the notification on the Apache Software Foundation’s official site which is light on detail.

Assigned a CVSS vulnerability score of 8.8, the flaw affects Apache HTTP Server (‘Apache’ to its friends) versions 2.4.17 (9 October 2015) to 2.4.38 (1 April 2019), the official notification states:

With MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard.

Windows servers aren’t affected but a large number of mainly recent Linux distributions are caught up in the alert.

The vulnerability

At heart, the flaw is an issue of privilege escalation triggered when Apache executes a graceful restart – jargon for allowing existing server threads to complete what they’re doing on a live website, which might happen once a day. (This also explains the ‘diem’ – day in Latin – part of the nickname Fol gave it.)

When restarting, Fol discovered an opportunity arises for a low-privilege process to elevate itself to root via a script, for example via PHP or CGI.

Who is affected?

Doing this requires having local access but that would be the case where Apache is being run in shared hosting environments, a routine way of packing large numbers of separate websites on to one server under a single IP address.

For an attacker, having local access would simply mean paying a few dollars for a cheap web hosting account (or taking one over).

Anyone in this category should make applying version 2.4.39 an urgent priority: Tweeted Mark J. Cox of the Apache Software Foundation:

One scenario is that the flaw could be used in conjunction with a second flaw such as a remote code exploit (RCE) in which CVE-2019-0211 is then used to elevate privileges. Cox responded to such a suggestion:

Version 2.4.39 also patches five other less serious flaws: CVE-2019-0217, CVE-2019-0215, CVE-2019-0197, CVE-2019-0196, and CVE-2019-0220.

Naturally, Apache gets the same periodic security patches as any software, including one for the serious Optionsbleed flaw in 2017.

On a related theme in the same year, Equifax made another flaw in the Apache Struts add-on famous (CVE-2017-5638) after it was blamed for a huge data breach suffered by the company. In that incident, the company later admitted it had failed to apply a patch made available months before the attack.