Hosting Websites on Bare Minimum VPS/Dedicated Servers

[SECURITY VULNERABILITY] Apache HTTP 2.4.17 to 2.4.38 Local Root Exploit

Apache has recently made an announcement, revealing a major security vulnerability/exploit where servers running in Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

More Details:
https://httpd.apache.org/security/vulnerabilities_24.html

Update Your Systems!

For those running Apache to their servers, we’d recommend updating as soon as possible. To do this on a CentOS based server, simply run:

yum -y update

Servers running cPanel/WHM have already been automatically upgraded. Or if not, you can manually upgrade it by running:

yum -y update ea-apache24*

After updating Apache, you can verify your current Apache version by running the following command, which should read Apache 2.4.39 or higher.

httpd -v

Frequently Asked Question: Are servers running LiteSpeed Web Server affected?

No, it is not. This only affects servers running Apache version 2.4.17 to 2.4.38.

No Comments

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Quoting webhostingtalk.com URL seems to get binned consistently here, but I do peek into the spam box frequently to publish those comments.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *