Description
Apache HTTP Server is prone to a local privilege-escalation vulnerability. An attacker can exploit this issue to gain elevated privileges on the affected application. Apache HTTP Server versions 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4.20, 2.4.18, and 2.4.17 are vulnerable.
Technologies Affected
- Apache Apache 2.4.17
- Apache Apache 2.4.18
- Apache Apache 2.4.20
- Apache Apache 2.4.23
- Apache Apache 2.4.25
- Apache Apache 2.4.26
- Apache Apache 2.4.27
- Apache Apache 2.4.28
- Apache Apache 2.4.29
- Apache Apache 2.4.30
- Apache Apache 2.4.33
- Apache Apache 2.4.34
- Apache Apache 2.4.35
- Apache Apache 2.4.37
- Apache Apache 2.4.38
- Oracle Enterprise Manager Ops Center 12.3.3
- Oracle Enterprise Manager Ops Center 12.4.0
- Oracle HTTP Server 12.2.1.3.0
- Oracle Instantis EnterpriseTrack 17.1
- Oracle Instantis EnterpriseTrack 17.2
- Oracle Instantis EnterpriseTrack 17.3
- Oracle Retail Xstore Point of Service 7.0
- Oracle Retail Xstore Point of Service 7.1
Recommendations
Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.
Given the nature of this issue, allow only trusted and accountable users to have local, interactive access to vulnerable computers.
Updates are available. Please see the references or vendor advisory for more information.