A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.

An update of the httpd package has been released.

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.38. It is, therefore, affected by multiple vulnerabilities:

 - A denial of service (DoS) vulnerability exists in HTTP/2 steam handling. An unauthenticated, remote attacker can exploit this issue, via sending request bodies in a slow loris way to plain resources, to occupy a server thread. (CVE-2018-17189)

 - A vulnerability exists in mod_sesion_cookie, as it does not properly check the expiry time of cookies. (CVE-2018-17199)

 - A denial of service (DoS) vulnerability exists in mod_ssl when used with OpenSSL 1.1.1 due to an interaction in changes to handling of renegotiation attempts. An unauthenticated, remote attacker can exploit this issue to cause mod_ssl to stop responding. (CVE-2019-0190)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201903-21 (Apache: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Apache. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker can possibly cause a Denial of Service condition or       could bypass mod_session_cookie expiration time.
  Workaround :

    There is no known workaround at this time.

In Apache HTTP server by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections. (CVE-2018-17189)

A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service.
(CVE-2019-0190)

In Apache HTTP Server mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded. (CVE-2018-17199)

According to its banner, the version of Apache running on the remote host is 2.4.x prior to 2.4.38. It is, therefore, affected by multiple vulnerabilities:

  - A denial of service (DoS) vulnerability exists in HTTP/2 steam     handling. An unauthenticated, remote attacker can exploit this     issue, via sending request bodies in a slow loris way to plain     resources, to occupy a server thread. (CVE-2018-17189)

  - A vulnerability exists in mod_sesion_cookie, as it does not     properly check the expiry time of cookies. (CVE-2018-17199) 

  - A denial of service (DoS) vulnerability exists in mod_ssl when     used with OpenSSL 1.1.1 due to an interaction in changes to     handling of renegotiation attempts. An unauthenticated, remote     attacker can exploit this issue to cause mod_ssl to stop     responding. (CVE-2019-0190)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Apache httpd Project reports :

SECURITY: CVE-2018-17199 mod_session: mod_session_cookie does not respect expiry time allowing sessions to be reused.

SECURITY: CVE-2019-0190 mod_ssl: Fix infinite loop triggered by a client-initiated renegotiation in TLSv1.2 (or earlier) with OpenSSL 1.1.1 and later. PR 63052.

SECURITY: CVE-2018-17189 mod_http2: fixes a DoS attack vector. By sending slow request bodies to resources not consuming them, httpd cleanup code occupies a server thread unnecessarily. This was changed to an immediate stream reset which discards all stream state and incoming data.

New httpd packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix security issues.

ID	Name	Product	Family	Severity
203104	Photon OS 3.0: Httpd PHSA-2019-3.0-0013	Nessus	PhotonOS Local Security Checks	high
124870	Photon OS 1.0: Httpd PHSA-2019-1.0-0230	Nessus	PhotonOS Local Security Checks	high
124680	Photon OS 2.0: Httpd PHSA-2019-2.0-0157	Nessus	PhotonOS Local Security Checks	high
98537	Apache 2.4.x < 2.4.38 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
123427	GLSA-201903-21 : Apache: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
122758	Amazon Linux AMI : httpd24 (ALAS-2019-1166)	Nessus	Amazon Linux Local Security Checks	high
121355	Apache 2.4.x < 2.4.38 Multiple Vulnerabilities	Nessus	Web Servers	high
121336	FreeBSD : Apache -- vulnerability (eb888ce5-1f19-11e9-be05-4c72b94353b5)	Nessus	FreeBSD Local Security Checks	high
121327	Slackware 14.0 / 14.1 / 14.2 / current : httpd (SSA:2019-022-01)	Nessus	Slackware Local Security Checks	high

Detections

Analytics

CVE-2019-0190

high

Tenable Plugins

high

high

high

high

critical

high

high

high

high