Allele Security Alert
ASA-2019-00028
Identifier(s)
ASA-2019-00028, CVE-2019-0190
Title
mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
Vendor(s)
Apache Software Foundation
Product(s)
Apache HTTP Server (httpd)
Affected version(s)
Apache HTTP Server version 2.4.37
Fixed version(s)
Apache HTTP Server version 2.4.38
Proof of concept
Yes
Description
A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.
Technical details
Unknown
Credits
mike bayer
Reference(s)
Apache HTTP Server 2.4 vulnerabilities
https://httpd.apache.org/security/vulnerabilities_24.html
CVE-2019-0190: mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1
https://seclists.org/oss-sec/2019/q1/82
mod_ssl Bug and SSL Labs Renegotiation Test
https://blog.qualys.com/ssllabs/2019/01/23/mod_ssl-bug-and-ssl-labs-renegotiation-test
Bug 63052 – CPU at 100% in process after SSL “scan” that logs as AH02042
https://bz.apache.org/bugzilla/show_bug.cgi?id=63052
Revision 1850946
https://svn.apache.org/viewvc?view=revision&revision=1850946
CVE-2019-0190
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0190
CVE-2019-0190
https://nvd.nist.gov/vuln/detail/CVE-2019-0190
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 2, 2019