Allele Security Alert
mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Apache Software Foundation
Apache HTTP Server (httpd)
Apache HTTP Server version 2.4.37
Apache HTTP Server version 2.4.38
Proof of concept
A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.
Apache HTTP Server 2.4 vulnerabilities
CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
mod_ssl Bug and SSL Labs Renegotiation Test
Bug 63052 – CPU at 100% in process after SSL “scan” that logs as AH02042
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 2, 2019