CVE-2019-0190
HIGH EXPLOITEDApache HTTP Server 2.4.37 - Denial of Service via mod_ssl Client Renegotiation
Title source: llmExploitation Summary
CVE-2019-0190 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.
References (20)
Core 20
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/106743
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201903-21
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/56c2e7cc9deb1c12a843d0dc251ea7fd3e7e80293cde02fcd65286ba%40%3Ccvs.httpd.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/84a3714f0878781f6ed84473d1a503d2cc382277e100450209231830%40%3Ccvs.httpd.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rd18c3c43602e66f9cdcf09f1de233804975b9572b0456cc582390b6f%40%3Ccvs.httpd.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/re3d27b6250aa8548b8845d314bb8a350b3df326cacbbfdfe4d455234%40%3Ccvs.httpd.apache.org%3E
Third Party Advisory x_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Vendor Advisory x_refsource_confirm
https://httpd.apache.org/security/vulnerabilities_24.html
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rf6449464fd8b7437704c55f88361b66f12d5b5f90bcce66af4be4ba9%40%3Ccvs.httpd.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r06f0d87ebb6d59ed8379633f36f72f5b1f79cadfda72ede0830b42cf%40%3Ccvs.httpd.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rc998b18880df98bafaade071346690c2bc1444adaa1a1ea464b93f0a%40%3Ccvs.httpd.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r03ee478b3dda3e381fd6189366fa7af97c980d2f602846eef935277d%40%3Ccvs.httpd.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rd2fb621142e7fa187cfe12d7137bf66e7234abcbbcd800074c84a538%40%3Ccvs.httpd.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r9f93cf6dde308d42a9c807784e8102600d0397f5f834890708bf6920%40%3Ccvs.httpd.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/re473305a65b4db888e3556e4dae10c2a04ee89dcff2e26ecdbd860a9%40%3Ccvs.httpd.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/rd336919f655b7ff309385e34a143e41c503e133da80414485b3abcc9%40%3Ccvs.httpd.apache.org%3E
Mailing List mailing-list
x_refsource_mlist
https://lists.apache.org/thread.html/r76142b8c5119df2178be7c2dba88fde552eedeec37ea993dfce68d1d%40%3Ccvs.httpd.apache.org%3E
Vendor Advisory x_refsource_misc
https://www.oracle.com//security-alerts/cpujul2021.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190125-0001/
Scores
CVSS v3
7.5
EPSS
0.1739
EPSS Percentile
95.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
VulnCheck KEV
2022-02-22
Status
published
Products (9)
apache/http_server
2.4.37
oracle/enterprise_manager_ops_center
12.3.3
oracle/hospitality_guest_access
4.2.0
oracle/hospitality_guest_access
4.2.1
oracle/instantis_enterprisetrack
17.1
oracle/instantis_enterprisetrack
17.2
oracle/instantis_enterprisetrack
17.3
oracle/retail_xstore_point_of_service
7.0
oracle/retail_xstore_point_of_service
7.1
Published
Jan 30, 2019
Tracked Since
Feb 18, 2026