CVE-2019-0215 - In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location clien

CVE-2019-0215

Summary

In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.

References

Vulnerable Configurations

cpe:2.3:a:apache:http_server:2.4.37:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.37:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.38:*:*:*:*:*:*:*
cpe:2.3:a:apache:http_server:2.4.38:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*

CVSS

Base:	6.0 (as of 06-06-2021 - 11:15)
Impact:
Exploitability:

CWE

NVD-CWE-noinfo

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	SINGLE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:M/Au:S/C:P/I:P/A:P

redhat via4

advisories

bugzilla

id	1695025
title	CVE-2019-0215 httpd: mod_ssl: access control bypass when using per-location client certification authentication

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 8 is installed
oval oval:com.redhat.rhba:tst:20193384074
comment Module httpd:2.4 is enabled
oval oval:com.redhat.rhsa:tst:20190980027

AND

comment httpd is earlier than 0:2.4.37-11.module+el8.0.0+2969+90015743
oval oval:com.redhat.rhsa:tst:20190980001
comment httpd is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20152194002

AND

comment httpd-debugsource is earlier than 0:2.4.37-11.module+el8.0.0+2969+90015743
oval oval:com.redhat.rhsa:tst:20190980003
comment httpd-debugsource is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20190980004

AND

comment httpd-devel is earlier than 0:2.4.37-11.module+el8.0.0+2969+90015743
oval oval:com.redhat.rhsa:tst:20190980005
comment httpd-devel is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20152194004

AND

comment httpd-filesystem is earlier than 0:2.4.37-11.module+el8.0.0+2969+90015743
oval oval:com.redhat.rhsa:tst:20190980007
comment httpd-filesystem is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20190980008

AND

comment httpd-manual is earlier than 0:2.4.37-11.module+el8.0.0+2969+90015743
oval oval:com.redhat.rhsa:tst:20190980009
comment httpd-manual is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20152194006

AND

comment httpd-tools is earlier than 0:2.4.37-11.module+el8.0.0+2969+90015743
oval oval:com.redhat.rhsa:tst:20190980011
comment httpd-tools is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20152194008

AND

comment mod_http2 is earlier than 0:1.11.3-2.module+el8.0.0+2969+90015743
oval oval:com.redhat.rhsa:tst:20190980013
comment mod_http2 is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20190980014

AND

comment mod_http2-debugsource is earlier than 0:1.11.3-2.module+el8.0.0+2969+90015743
oval oval:com.redhat.rhsa:tst:20190980015
comment mod_http2-debugsource is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20190980016

AND

comment mod_ldap is earlier than 0:2.4.37-11.module+el8.0.0+2969+90015743
oval oval:com.redhat.rhsa:tst:20190980017
comment mod_ldap is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20152194010

AND

comment mod_md is earlier than 0:2.4.37-11.module+el8.0.0+2969+90015743
oval oval:com.redhat.rhsa:tst:20190980019
comment mod_md is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20190980020

AND

comment mod_proxy_html is earlier than 1:2.4.37-11.module+el8.0.0+2969+90015743
oval oval:com.redhat.rhsa:tst:20190980021
comment mod_proxy_html is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20152194012

AND

comment mod_session is earlier than 0:2.4.37-11.module+el8.0.0+2969+90015743
oval oval:com.redhat.rhsa:tst:20190980023
comment mod_session is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20152194014

AND

comment mod_ssl is earlier than 1:2.4.37-11.module+el8.0.0+2969+90015743
oval oval:com.redhat.rhsa:tst:20190980025
comment mod_ssl is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhba:tst:20152194016

rhsa

id	RHSA-2019:0980
released	2019-05-07
severity	Important
title	RHSA-2019:0980: httpd:2.4 security update (Important)

rpms

httpd-0:2.4.37-11.module+el8.0.0+2969+90015743
httpd-debuginfo-0:2.4.37-11.module+el8.0.0+2969+90015743
httpd-debugsource-0:2.4.37-11.module+el8.0.0+2969+90015743
httpd-devel-0:2.4.37-11.module+el8.0.0+2969+90015743
httpd-filesystem-0:2.4.37-11.module+el8.0.0+2969+90015743
httpd-manual-0:2.4.37-11.module+el8.0.0+2969+90015743
httpd-tools-0:2.4.37-11.module+el8.0.0+2969+90015743
httpd-tools-debuginfo-0:2.4.37-11.module+el8.0.0+2969+90015743
mod_http2-0:1.11.3-2.module+el8.0.0+2969+90015743
mod_http2-debuginfo-0:1.11.3-2.module+el8.0.0+2969+90015743
mod_http2-debugsource-0:1.11.3-2.module+el8.0.0+2969+90015743
mod_ldap-0:2.4.37-11.module+el8.0.0+2969+90015743
mod_ldap-debuginfo-0:2.4.37-11.module+el8.0.0+2969+90015743
mod_md-0:2.4.37-11.module+el8.0.0+2969+90015743
mod_md-debuginfo-0:2.4.37-11.module+el8.0.0+2969+90015743
mod_proxy_html-1:2.4.37-11.module+el8.0.0+2969+90015743
mod_proxy_html-debuginfo-1:2.4.37-11.module+el8.0.0+2969+90015743
mod_session-0:2.4.37-11.module+el8.0.0+2969+90015743
mod_session-debuginfo-0:2.4.37-11.module+el8.0.0+2969+90015743
mod_ssl-1:2.4.37-11.module+el8.0.0+2969+90015743
mod_ssl-debuginfo-1:2.4.37-11.module+el8.0.0+2969+90015743

refmap via4

bid	107667
confirm	https://security.netapp.com/advisory/ntap-20190423-0001/ https://support.f5.com/csp/article/K59440504
fedora	FEDORA-2019-119b14075a FEDORA-2019-a4ed7400f4 FEDORA-2019-cf7695b470
misc	https://httpd.apache.org/security/vulnerabilities_24.html https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
mlist	[httpd-cvs] 20190402 svn commit: r1856807 - /httpd/test/framework/trunk/t/security/CVE-2019-0215.t [httpd-cvs] 20190806 svn commit: r1864463 - /httpd/test/framework/trunk/t/security/CVE-2019-0215.t [httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html [httpd-dev] 20190804 Re: svn commit: r1856807 - /httpd/test/framework/trunk/t/security/CVE-2019-0215.t [httpd-dev] 20190806 Re: svn commit: r1856807 - /httpd/test/framework/trunk/t/security/CVE-2019-0215.t [oss-security] 20190401 CVE-2019-0215: mod_ssl access control bypass

Last major update

06-06-2021 - 11:15

Published

08-04-2019 - 20:29

Last modified

06-06-2021 - 11:15