{ "threat_severity" : "Moderate", "public_date" : "2019-04-01T00:00:00Z", "bugzilla" : { "description" : "httpd: mod_auth_digest: access control bypass due to race condition", "id" : "1695020", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1695020" }, "cvss3" : { "cvss3_base_score" : "7.1", "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-284", "details" : [ "In Apache HTTP Server 2.4 release 2.4.38 and prior, a race condition in mod_auth_digest when running in a threaded server could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions.", "A race condition was found in mod_auth_digest when the web server was running in a threaded MPM configuration. It could allow a user with valid credentials to authenticate using another username, bypassing configured access control restrictions." ], "statement" : "Based on the the fact that digest authentication is rarely used in modern day web applications and httpd package shipped with Red Hat products do not ship threaded MPM configuration by default, this flaw has been rated as having Moderate level security impact. Red Hat Enterprise Linux 6 is now in Maintenance Support 2 Phase of the support and maintenance life cycle. This flaw has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.", "affected_release" : [ { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-apr-0:1.6.3-63.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-curl-0:7.64.1-14.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-jansson-0:2.11-20.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3932", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el6", "package" : "jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el6" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-apr-0:1.6.3-63.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-apr-util-0:1.6.1-48.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-brotli-0:1.0.6-7.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-curl-0:7.64.1-14.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-httpd-0:2.4.37-33.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-jansson-0:2.11-20.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.12-9.Final_redhat_2.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_jk-0:1.2.46-22.redhat_1.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-mod_security-0:2.9.2-16.GA.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-nghttp2-0:1.39.2-4.jbcs.el7" }, { "product_name" : "JBoss Core Services on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3933", "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7", "package" : "jbcs-httpd24-openssl-1:1.1.1-25.jbcs.el7" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2019-08-06T00:00:00Z", "advisory" : "RHSA-2019:2343", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "httpd-0:2.4.6-90.el7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2019-11-05T00:00:00Z", "advisory" : "RHSA-2019:3436", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "httpd:2.4-8010020190829143335.cdc1202b" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2019-12-10T00:00:00Z", "advisory" : "RHSA-2019:4126", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "httpd24-0:1.1-19.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2019-12-10T00:00:00Z", "advisory" : "RHSA-2019:4126", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "httpd24-httpd-0:2.4.34-15.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2019-12-10T00:00:00Z", "advisory" : "RHSA-2019:4126", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "httpd24-nghttp2-0:1.7.1-8.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2019-12-10T00:00:00Z", "advisory" : "RHSA-2019:4126", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-0:1.1-19.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2019-12-10T00:00:00Z", "advisory" : "RHSA-2019:4126", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-httpd-0:2.4.34-15.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2019-12-10T00:00:00Z", "advisory" : "RHSA-2019:4126", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-nghttp2-0:1.7.1-8.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2019-12-10T00:00:00Z", "advisory" : "RHSA-2019:4126", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-0:1.1-19.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2019-12-10T00:00:00Z", "advisory" : "RHSA-2019:4126", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-httpd-0:2.4.34-15.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date" : "2019-12-10T00:00:00Z", "advisory" : "RHSA-2019:4126", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-nghttp2-0:1.7.1-8.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2019-12-10T00:00:00Z", "advisory" : "RHSA-2019:4126", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-0:1.1-19.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2019-12-10T00:00:00Z", "advisory" : "RHSA-2019:4126", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-httpd-0:2.4.34-15.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date" : "2019-12-10T00:00:00Z", "advisory" : "RHSA-2019:4126", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-nghttp2-0:1.7.1-8.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2019-12-10T00:00:00Z", "advisory" : "RHSA-2019:4126", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-0:1.1-19.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2019-12-10T00:00:00Z", "advisory" : "RHSA-2019:4126", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-httpd-0:2.4.34-15.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date" : "2019-12-10T00:00:00Z", "advisory" : "RHSA-2019:4126", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "httpd24-nghttp2-0:1.7.1-8.el7" }, { "product_name" : "Text-Only JBCS", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3935", "cpe" : "cpe:/a:redhat:jboss_core_services:1" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Out of support scope", "package_name" : "httpd", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "httpd", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Out of support scope", "package_name" : "httpd", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Not affected", "package_name" : "rhvm-appliance", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-0217\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-0217\nhttp://www.apache.org/dist/httpd/CHANGES_2.4\nhttps://httpd.apache.org/security/vulnerabilities_24.html" ], "name" : "CVE-2019-0217", "mitigation" : { "value" : "This flaw only affects a threaded server configuration, so using the prefork MPM is an effective mitigation. In versions of httpd package shipped with Red Hat Enterprise Linux 7, the prefork MPM is the default configuration.", "lang" : "en:us" }, "csaw" : false }