Apache web server bug grants root access on shared hosting environments

Companies using Apache on private, non-shared servers are also at risk, but to a lesser degree

Apache web server bug grants root access on shared hosting environments
Courtesy: Catalin Cimpanu | News Source: zdnet.com

This week, the Apache Software Foundation has patched a severe vulnerability in the Apache (httpd) web server project that could --under certain circumstances-- allow rogue server scripts to execute code with root privileges and take over the underlying server.

The vulnerability, tracked as CVE-2019-0211, affects Apache web server releases for Unix systems only, from 2.4.17 to 2.4.38, and was fixed this week with the release of version 2.4.39.

According to the Apache team, less-privileged Apache child processes (such as CGI scripts) can execute malicious code with the privileges of the parent process.

Because on most Unix systems Apache httpd runs under the root user, any threat actor who has planted a malicious CGI script on an Apache server can use CVE-2019-0211 to take over the underlying system running the Apache httpd process, and inherently control the entire machine.

CVE-2019-0211 is a big problem for shared-hosting firms

The vulnerability may not pose an immediate and palpable threat to developers and companies running their own server infrastructure, but the issue is a critical vulnerability inside shared web hosting environments.