Archive for the ‘Apache’ Category
The Apache HTTP Server, the Internet’s most widely used Web server, just fixed a serious vulnerability that makes it possible for untrusted users or software to gain unfettered control of the machine the software runs on.
CVE-2019-0211, as the vulnerability is indexed, is a local privilege escalation, meaning it allows a person or software that already has limited access to the Web server to elevate privileges to root. From there, the attacker could do just about anything. The vulnerability makes it possible for unprivileged scripts to overwrite sensitive parts of a server’s memory, Charles Fol, the independent researcher who discovered the bug, wrote in a blog post. A malicious script could exploit the vulnerability to gain root.
The vulnerability poses the most risk inside Web-hosting facilities that offer shared instances, in which a single physical machine serves content for more than one website. Typically, such servers prevent an administrator of one site from accessing other sites or from accessing sensitive settings of the machine itself.
Officially it’s CVE-2017-5638, but in practice it’s “the bug in Apache Struts you really should have patched by now”. Here’s why…
Last year Google employees took an initiative to help thousands of Open Source Projects patch a critical remote code execution vulnerability in a widely used Apache Commons Collections (ACC) library.
Dubbed Operation Rosehub, the initiative was volunteered by some 50 Google employees, who utilized 20 percent of their work time to patch over 2600 open source projects on Github, those were