ASA-2019-00028 – Apache HTTP Server: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00028

Identifier(s)

ASA-2019-00028, CVE-2019-0190

Title

mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1

Vendor(s)

Apache Software Foundation

Product(s)

Apache HTTP Server (httpd)

Affected version(s)

Apache HTTP Server version 2.4.37

Fixed version(s)

Apache HTTP Server version 2.4.38

Proof of concept

Yes

Description

A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.

Technical details

Unknown

Credits

mike bayer

Reference(s)

Apache HTTP Server 2.4 vulnerabilities
https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
https://seclists.org/oss-sec/2019/q1/82

mod_ssl Bug and SSL Labs Renegotiation Test
https://blog.qualys.com/ssllabs/2019/01/23/mod_ssl-bug-and-ssl-labs-renegotiation-test

Bug 63052 – CPU at 100% in process after SSL “scan” that logs as AH02042
https://bz.apache.org/bugzilla/show_bug.cgi?id=63052

Revision 1850946
https://svn.apache.org/viewvc?view=revision&revision=1850946

CVE-2019-0190
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0190

CVE-2019-0190
https://nvd.nist.gov/vuln/detail/CVE-2019-0190

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 2, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.