====================================================================

                             CERT-Renater

                 Note d'Information No. 2019/VULN028

_____________________________________________________________________

DATE                : 30/01/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache httpd versions prior to
                                      2.4.38.

=====================================================================
https://httpd.apache.org/security/vulnerabilities_24.html
_____________________________________________________________________

CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.37

Description:
A bug exists in the way mod_ssl handled client renegotiations.
A remote attacker could send a carefully crafted request that
would cause mod_ssl to enter a loop leading to a denial of
service.  This bug can be only triggered with Apache HTTP Server
version 2.4.37 when using OpenSSL version 1.1.1 or later, due to
an interaction in changes to handling of renegotiation attempts.

Mitigation:
All httpd users consuming mod_ssl combined with OpenSSL 1.1.1 or later
should upgrade to 2.4.38 or later.

Credit:
The issue was identified through user bug reports.

References:
https://httpd.apache.org/security/vulnerabilities_24.html

_____________________________________________________________________


CVE-2018-17199: mod_session_cookie does not respect expiry time

Severity: low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.0 to 2.4.37

Description:
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session
checks the session expiry time before decoding the session.
This causes session expiry time to be ignored for
mod_session_cookie sessions since the expiry time is loaded
when the session is decoded.

Mitigation:
All httpd users deploying mod_session should upgrade to 2.4.38 or later.

Credit:
The issue was discovered by Diego Angulo from ImExHS.

References:
https://httpd.apache.org/security/vulnerabilities_24.html

_____________________________________________________________________


CVE-2018-17189: mod_http2, DoS via slow, unneeded request bodies

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.17 to 2.4.37

Description:
By sending request bodies in a slow loris way to plain
resources, the h2 stream for that request unnecessarily
occupied a server thread cleaning up that incoming data.
This affects only HTTP/2 (mod_http2) connections in
Apache HTTP Server versions 2.4.37 and prior.

Mitigation:
All httpd users deploying mod_http2 should upgrade to 2.4.38 or later.

Credit:
The issue was discovered by Gal Goldshtein of F5 Networks.

References:
https://httpd.apache.org/security/vulnerabilities_24.html

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================