Apache HTTP Server Vulnerabilities Related to Version 2.4.39

The Apache HTTP Server version 2.4.39 fixes six vulnerabilities [1].

No action required for Airlock WAF

Details:

• CVE-2019-0211 Privilege escalation vulnerability from modules script. The risk for Airlock WAF is negligible. The Apache HTTP Server of Airlock WAF is down-stripped and has a low attack surface for remote code execution in a worker thread. Further, privilege escalation to the privileges of the parent process does not impose a significant threat because all Apache processes are restricted with a custom, least privilege based, SELinux policy. This policy restricts the capabilities of the parent process (running as root) independent of its DAC permissions.
• CVE-2019-0217 mod_auth_digest access control bypass: This module is not used by Airlock WAF.
• CVE-2019-0215 mod_ssl access control bypass: This vulnerability was discovered by Michael Kaufmann from the Airlock Team and does not affect supported versions of Airlock WAF. The vulnerability affects TLS 1.3 which will be available in the upcoming WAF release 7.2.
• CVE-2019-0197 possible crash on late upgrade: mod_http2. Apache rates the risk as low. The risk for Airlock WAF is negligible.
• CVE-2019-0220 read-after-free on a string compare: Affects mod_http2. Apache rates the risk as low. The risk for Airlock WAF is negligible.
• CVE-2019-0196 httpd URL normalization inconsistency: Apache rates the risk as low. The risk for Airlock WAF is negligible.