SB2019071659 - Multiple vulnerabilities in Oracle HTTP Server 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019071659

SB2019071659 - Multiple vulnerabilities in Oracle HTTP Server

Published: July 16, 2019

Security Bulletin ID SB2019071659
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Improper input validation (CVE-ID: CVE-2019-2751)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

The vulnerability exists due to improper input validation within the OHS Config MBeans component in Oracle HTTP Server. A remote non-authenticated attacker can exploit this vulnerability to gain access to sensitive information.


2) Privilege escalation (CVE-ID: CVE-2019-0211)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists within MPM implementation due to the application does not properly maintain each child's listener bucket number in the scoreboard that may lead to unprivileged code or scripts run by server (e.g. via mod_php) to modify the scoreboard and abuse the privileged main process.

A local user can execute arbitrary code on the system with privileges of the Apache HTTP Server code process.


Remediation

Install update from vendor's website.

References