LowEndBox - Cheap VPS, Hosting and Dedicated Server Deals

[SECURITY VULNERABILITY] Apache HTTP 2.4.17 to 2.4.38 Local Root Exploit

Apache has recently made an announcement, revealing a major security vulnerability/exploit where servers running in Apache HTTP Server 2.4 releases 2.4.17 to 2.4.38, with MPM event, worker or prefork, code executing in less-privileged child processes or threads (including scripts executed by an in-process scripting interpreter) could execute arbitrary code with the privileges of the parent process (usually root) by manipulating the scoreboard. Non-Unix systems are not affected.

More Details:

Update Your Systems!

For those running Apache to their servers, we’d recommend updating as soon as possible. To do this on a CentOS based server, simply run:

yum -y update

Servers running cPanel/WHM have already been automatically upgraded. Or if not, you can manually upgrade it by running:

yum -y update ea-apache24*

After updating Apache, you can verify your current Apache version by running the following command, which should read Apache 2.4.39 or higher.

httpd -v

Frequently Asked Question: Are servers running LiteSpeed Web Server affected?

No, it is not. This only affects servers running Apache version 2.4.17 to 2.4.38.


No Comments

    Leave a Reply

    Some notes on commenting on LowEndBox:

    • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
    • Akismet is used for spam detection. Some comments may be held temporarily for manual approval.
    • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

    Your email address will not be published. Required fields are marked *