Need to be updated the apache we have in CWP, had a recent update of several GRAVES fixes found in APACHE, see:
Fixed in Apache httpd 2.4.39
important: Apache HTTP Server privilege escalation from modules' scripts (CVE-2019-0211)
In Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, executing code in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.
Acknowledgments: The issue was discovered by Charles Fol.
Reported to security team 22nd February 2019
Issue public 1st April 2019
Affects 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4 .20, 2.4.18, 2.4.17
important: mod_auth_digest access control bypass (CVE-2019-0217)
In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow user with valid credentials to authenticate using another username, bypassing configured access control restrictions.
Acknowledgments: The issue was discovered by Simon Kappel.
Reported to security team 29th January 2019
Issue public 1st April 2019
Affects 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4 .20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1 , 2.4.0
important: mod_ssl access control bypass (CVE-2019-0215)
In Apache HTTP Server 2.4 releases 2.4.37 and 2.4.38, a bug in mod_ssl when using per-location client certificate verification with TLSv1.3 allowed a client supporting Post-Handshake Authentication to bypass configured access control restrictions.
Acknowledgments: The issue was discovered by Michael Kaufmann.
Reported to security team 23rd January 2019
Issue public 1st April 2019
Affects 2.4.38, 2.4.37
low: mod_http2, possible crash on late upgrade (CVE-2019-0197)
When HTTP / 2 was enabled for a http: // host or H2Upgrade was enabled for h2 on a https: host, an upgrade request from http / 1.1 to http / 2 that was not the first request on the connection could lead to misconfiguration and crash . The "H2Upgrade on" is unaffected by this. The server is not enabled by this protocol.
Acknowledgments: The issue was discovered by Stefan Eissing, greenbytes.de.
Reported to security team 29th January 2019
Issue public 1st April 2019
Affects 2.4.38, 2.4.37, 2.4.35, 2.4.34
low: mod_http2, read-after-free on a string compare (CVE-2019-0196)
Using fuzzed network input, the http / 2 request handling could be made to access freed memory in string comparision when determining the method of request and thus process the request incorrectly.
Acknowledgments: The issue was discovered by Craig Young, <vuln-report@secur3.us>.
Reported to security team 29th January 2019
Issue public 1st April 2019
Affects 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4 .20, 2.4.18
low: Apache httpd URL normalization inconsistincy (CVE-2019-0220)
When the path component of a request URL contains multiple consecutive slashes ('/'), directives such as LocationMatch and RewriteRule must account for duplicates in regular expressions while other processing aspects will implicitly collapse them.
Acknowledgments: The issue was discovered by Bernhard Lorenz <bernhard.lorenz@alphastrike.io> of Alpha Strike Labs GmbH.
Reported to security team January 2019
Issue public 1st April 2019
Affects 2.4.38, 2.4.37, 2.4.35, 2.4.34, 2.4.33, 2.4.30, 2.4.29, 2.4.28, 2.4.27, 2.4.26, 2.4.25, 2.4.23, 2.4 .20, 2.4.18, 2.4.17, 2.4.16, 2.4.12, 2.4.10, 2.4.9, 2.4.7, 2.4.6, 2.4.4, 2.4.3, 2.4.2, 2.4.1 , 2.4.0