The Apache HTTP Server is among the top choices when it comes to web server software, powering almost 40% of the internet. When such a widely spread software has a problem in its base structure, It’s crucial to have it fixed as soon as possible. In the event where new vulnerabilities come to the surface, the next course of action is fixing them and, in a later point in time, disclose them to the public. With that said, we would like to spread awareness of some latest Apache HTTP Server vulnerabilities.
Three CVE’s (Common Vulnerabilities and Exposures) were made public on the 2nd of April. The exploit itself affects all versions from 2.4.17 to 2.4.38. It consists of executing code on the root machine, via code manipulation at a given cycle. Basically, it could allow any less privileged user to be able to execute arbitrary code with the needed root privileges on the target server. Rest assured that this is not a delayed April fools joke.
The information provided is as interpreted from official statements: (CVE-2019-0211) (CVE-2019-0217) (CVE-2019-0215).
What harm can potentially happen?
The flaw affects all previous versions of the Apache HTTP Server. The exploit itself can only be a target of Shared Hosting environments or any configuration where you have multiple users on the same server, with active permissions to upload and execute. Without an active user on the server, it does not pose a threat.
In a vulnerable environment, this flaw could lead to catastrophic damage. Any user on the Apache HTTP Server could potentially (if done correctly) gain root privileges on the machine, thus increasing usage of all other users’ content files on the same server.
Does this affect me?
As you should expect from FastComet, we did not lose any precious time taking the needed actions under these circumstances and we immediately started patching the vulnerability. We have already taken the measure of mass-updating all of our shared hosting servers, as well as our clients on VPS/Dedicated Server packages. In the rare occasion that update did not go through, we urge our clients to give us a visit either via Live Chat or Ticket and we will manually force update their Apache versions.
How do I check my Apache version?
The easiest way to check is to enter any cPanel account on a given server and then click “Server Information”
The version you are looking to have is version 2.4.39 or above.
Security is Key!
Always keep in mind that security is one of the most important aspects of web hosting technology. It is not that hard to keep track of, and FastComet will always make sure to help with whatever possible. In case you have any questions, feel free to post them as comments and we will gladly address them.