Lucene search

HistoryApr 03, 2019 - 12:00 a.m.

Apache HTTP Server components to mention the right vulnerability alerts-a vulnerability alert-the black bar safety net






Recently, the Aapche HTTP Server official release of the Aapche HTTP Server 2.4.39 version update, this version fixes a bug number for CVE-2019-0211 mention the right vulnerability, the vulnerability rating of high risk, according to Sangfor security team, the vulnerabilities impact severity, the attacker can by uploading attack scripts on the target server on the mention of the right attack, the vulnerability in non - *nix platform is not affected.
Apache HTTP Server components description
The Apache HTTP Server from NCSAhttpd server, and in 1995 launched, the name is taken from the“a based on these results, server”the pronunciation, the meaning is filled with the patch server, because it is free software, so it constantly someone to develop new features, new features, modify the original defects. Apache HTTP Server features that are simple, fast speed, stable performance, and can do the proxy server to use. Due to its cross-platform and excellent in safety, since 1996 年 4 months, the Apache HTTP Server has been the Internet’s most popular web server.
So far the Apache HTTP Server market share up to about 60%, is already the world use the first ranking of theWeb serversoftware. The world’s many famous sites, such as Amazon, Yahoo!, W3 Consortium, Financial Times, etc. are the Apache HTTP Server product. According to statistics, in the global scope of the open Internet the Apache HTTP Server Server number of assets up to 9000 million units, found that the United States open to the public of the Apache HTTP Server Server number ranked first, the number of 2400 million units, close to the global total of 30%. Ranking second and third respectively China and South Korea, which is open to the public of the Apache HTTP Server the number of servers, respectively, to 880 million and 670 million units.
! [](/Article/UploadPic/2019-4/201943225432677. png)
Figure 1 Apache HTTP Server global range of Case distribution
(Statistical data only for the open Internet of the assets, the data derived from the FOFA on.)
From the above statistics it seems that the domestic use of the Apache HTTP server use the cardinality is high, the user is quite extensive, in the country, the Apache HTTP Server usage is the highest of the three provinces of Beijing, Zhejiang and Liaoning, in Beijing, the amount of the highest number up to 2,740,303 sets, in the Zhejiang province in the amount of up to 100 million or more, Liaoning province, the amount of up to nearly 90 million, so for the Apache HTTP server server vulnerability prevention is particularly important.
! [](/Article/UploadPic/2019-4/201943225433437. png)
Figure 2 the Apache HTTP Server Server domestic usage distribution
(Statistical data only for the open Internet of the assets, the data derived from the FOFA on.)
Vulnerability description
In Apache HTTP Server 2. 4 release version 2. 4. 17 to 2. 4. 38, using either the Apache HTTP Server’s MPM event mode, or the worker or prefork mode, in the low-privileged child processes or threads executing in the code(including by processes within the script interpreter to execute the script)you can manipulate the scoreboard(scoreboard to do with the parent process(usually Root process)privileges to any code. Non-unix systems are not affected.
The scope of the impact
According to statistics, in the global scope of the open Internet the Apache HTTP Server Server number of assets up to 9000 million units, of which the home region of China affected by the amount of assets of 800 million or more.
Currently the affected Apache HTTP Server version:
ApacheHTTP Server 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29,2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, 2.4.17
Repair recommendations

  1. Apache HTTP Server official already in the Apache HTTP Server 2.4.39 version fixes the vulnerability, the user can compile and install to update to the latest version, download address is:
    2.* nix platform can also be according to the demand from the respective update channels to update each linux version has been in the assessment of this update.
    Reference links