ASA-2019-00171 – Apache HTTP Server: mod_ssl access control bypass

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00171

Identifier(s)

ASA-2019-00171, CVE-2019-0215

Title

mod_ssl access control bypass

Vendor(s)

Apache Software Foundation

Product(s)

Apache HTTP Server (httpd)

Affected version(s)

Apache HTTP Server version 2.4.27 to 2.4.38

Fixed version(s)

Apache HTTP Server version 2.4.39

Proof of concept

Unknown

Description

In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.

Technical details

Unknown

Credits

Michael Kaufmann

Reference(s)

httpd 2.4 vulnerabilities – The Apache HTTP Server Project
https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2019-0215: mod_ssl access control bypass
https://seclists.org/oss-sec/2019/q2/3

[Apache-SVN] Revision 1855917
https://svn.apache.org/viewvc?view=revision&revision=1855917

Apache 2.4.39 important security release (CVE-2019-0211, CVE-2019-0217 and CVE-2019-0215)
https://blog.bitnami.com/2019/04/apache-2439-important-security-release.html

CVE-2019-0215
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0215

CVE-2019-0215
https://nvd.nist.gov/vuln/detail/CVE-2019-0215

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 2, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.