Allele Security Alert
ASA-2019-00171
Identifier(s)
ASA-2019-00171, CVE-2019-0215
Title
mod_ssl access control bypass
Vendor(s)
Apache Software Foundation
Product(s)
Apache HTTP Server (httpd)
Affected version(s)
Apache HTTP Server version 2.4.27 to 2.4.38
Fixed version(s)
Apache HTTP Server version 2.4.39
Proof of concept
Unknown
Description
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client to bypass configured access control restrictions.
Technical details
Unknown
Credits
Michael Kaufmann
Reference(s)
httpd 2.4 vulnerabilities – The Apache HTTP Server Project
https://httpd.apache.org/security/vulnerabilities_24.html
CVE-2019-0215: mod_ssl access control bypass
https://seclists.org/oss-sec/2019/q2/3
[Apache-SVN] Revision 1855917
https://svn.apache.org/viewvc?view=revision&revision=1855917
Apache 2.4.39 important security release (CVE-2019-0211, CVE-2019-0217 and CVE-2019-0215)
https://blog.bitnami.com/2019/04/apache-2439-important-security-release.html
CVE-2019-0215
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0215
CVE-2019-0215
https://nvd.nist.gov/vuln/detail/CVE-2019-0215
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 2, 2019