RC Logr 20190409 224521

Tuesday, 9 Apr, 2019

PSA: A serious bug was discovered in Apache, the web server that powers a lot of the internet. Vulnerability CVE-2019-0211 allows scripts to be executed with root privileges, allowing system takeover especially on shared hosting environments. 🐞☠️

Apache foundation released patched version 2.4.39, so confirm and update (or request an update):

1
2
3
4
5
6
7
8

~ > httpd -v  # or apache2 on some
Server version: Apache/2.4.34 (Unix)
Server built: Feb 22 2019 19:30:04
~ > curl --head https://thesite.com
HTTP/1.1 200 OK
Date: ...
Server: Apache/2.4.34
...

You might need to confirm from your “control panel” in a shared environment. Note that Apache sysadmins can make settings to block these tools from getting any details about the web server. Same caveat applies, but you can also put <?php phpinfo() ?> in a file like info.php, then serve and access it.