Vulnerabilities are always critical. And, when it is with Apache web server, it affects all websites.
On April 1st, 2019, Security Experts disclosed a critical privilege escalation vulnerability in the Apache HTTP server. Unfortunately, it needs a prompt fix.
At Bobcares, applying proper security updates is a part of our Server Management Services. Therefore, it helps to prevent hackers exploiting any vulnerability.
In this write up, we’ll see the details of the recent Apache CVE-2019-0211 vulnerability and how our Security Engineers fix it on the customer’s server.
Details of the Apache CVE-2019-0211 vulnerability
Firstly, let’s get an idea of the Apache CVE-2019-0211 vulnerability.
In simple words, this vulnerability allows users with write and execute permissions to gain root privileges on Unix systems. This occurs in Apache 2.4.x releases.
Unfortunately, it affects all Apache installations with MPM event, worker or prefork. By this exploit, code executing in less-privileged child processes or threads allows to execute arbitrary code with the privileges of the parent process. Thus, they get root access by altering the scoreboard.
Does it affect my server?
Knowing about a vulnerability can make any one panic. And, the immediate reaction would be to check if it affects your server.
Now, let’s see if CVE-2019-0211 is something that you need to worry about. The main things that make your server vulnerable are:
- You have a Unix server with Apache web server
- Apache release version is from 2.4.17 to 2.4.38
- You own a shared server with too many users
- You have set manual updates on your server
Likewise, even if your server have control panels like cPanel, Plesk, etc. it’s worth to check the Apache versions and confirm that it is not vulnerable. This particularly applies to servers where all security patches are updated manually.
[Is your server having vulnerable Apache version ? We can fix it for you.]
How to fix Apache CVE-2019-0211?
OK. I have a vulnerable Apache version! What next?
Now, we’ll see how our Support Engineers mitigate the vulnerability and secure the server.
As of this writing, the quick fix for Apache CVE-2019-0211 vulnerability is to upgrade Apache to 2.4.39.
Unfortunately, upgrading Apache on the server has a wide impact. Even a small mistake in the upgrade process can make all your websites down. That’s why, our Dedicated Engineers always do a server analysis prior to the Apache upgrade.
Steps for Apache upgrade
Now, we’ll see the steps that we do as part of Apache upgrade.
1. Collecting details
As part of the upgrade process, we first collect information about the production server. This include details like number of websites on the server, PHP version, other Apache modules, custom website configuration, etc.
2. Making Apache backup
Secondly, we proceed with taking a backup of Apache configuration files. Apache configuration on the server is really critical. If the upgrade fails for any reason, all websites go down. That’s where these backups come handy.
3. Upgrade Apache
Usually, the Apache upgrade process work with out any hiccups. But, when there is an upgrade failure, it becomes a havoc.
That’s why, our Dedicated Engineers always schedule the upgrade of Apache to off peak times. This helps to avoid the website downtime in business hours. Additionally, for critical websites, our Dedicated Engineers suggest customers to notify users about the scheduled upgrade.
After the upgrade to Apache 2.4.39, we double check and confirm that all related modules are working fine.
4. Verifying websites
Finally, we complete the upgrade process by checking random websites on the server. Thus, it helps us to avoid website downtime issues on the server. With this, we complete the patching of Apache web server.
[Do you know that we proactively upgrade server software as part of Server Management Services ? And, you need not worry about the servers.]
Conclusion
In short, Apache vulnerability CVE-2019-0211 requires urgent attention. It allows users with limited permissions to elevate their privileges as root. Today, we saw the type of servers that affect Apache CVE-2019-0211 vulnerability and how our Dedicated Engineers fix it.
0 Comments