Vulnerability Name:

CVE-2019-0190 (CCN-156005)

Assigned:2018-11-14
Published:2019-01-22
Updated:2021-07-20
Summary:A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2019-0190

Source: CCN
Type: Oracle CPUJul2019
Oracle Critical Patch Update Advisory - July 2019

Source: BID
Type: Third Party Advisory, VDB Entry
106743

Source: XF
Type: UNKNOWN
apache-http-cve20190190-dos(156005)

Source: CCN
Type: Apacche Web site
Apache HTTP Server 2.4 vulnerabilities

Source: CONFIRM
Type: Vendor Advisory
https://httpd.apache.org/security/vulnerabilities_24.html

Source: MLIST
Type: Mailing List, Vendor Advisory
[httpd-cvs] 20190815 svn commit: r1048743 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: Mailing List, Vendor Advisory
[httpd-cvs] 20190815 svn commit: r1048742 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073139 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/json/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073143 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210606 svn commit: r1075470 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2020-13938.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073149 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073140 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/cvejsontohtml.py security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: Mailing List, Vendor Advisory
[httpd-cvs] 20200401 svn commit: r1058586 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1888194 [12/13] - /httpd/site/trunk/content/security/json/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210603 svn commit: r1075360 [3/3] - in /websites/staging/httpd/trunk/content: ./ security/json/CVE-2021-31618.json security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: Mailing List, Vendor Advisory
[httpd-cvs] 20200401 svn commit: r1058587 [4/4] - in /websites/staging/httpd/trunk/content: ./ security/vulnerabilities-httpd.xml security/vulnerabilities_13.html security/vulnerabilities_20.html security/vulnerabilities_22.html security/vulnerabilities_24.html

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073149 [12/13] - in /websites/staging/httpd/trunk/content: ./ security/ security/json/

Source: MLIST
Type: UNKNOWN
[httpd-cvs] 20210330 svn commit: r1073139 [1/13] - in /websites/staging/httpd/trunk/content: ./ security/json/

Source: GENTOO
Type: Third Party Advisory
GLSA-201903-21

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20190125-0001/

Source: CCN
Type: IBM Security Bulletin 869488 (Rational Build Forge)
Rational Build Forge Security Advisory for Apache HTTP Server (CVE-2019-0190; CVE-2018-17189; CVE-2018-17199)

Source: CCN
Type: IBM Security Bulletin 872490 (i)
Vulnerabilities CVE-2018-17199, CVE-2018-17189, and CVE-2019-0190 in the IBM i HTTP Server affect IBM i.

Source: CCN
Type: Oracle CPUJul2021
Oracle Critical Patch Update Advisory - July 2021

Source: MISC
Type: Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Source: MISC
Type: Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-0190

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:http_server:2.4.37:*:*:*:*:*:*:*
  • AND
  • cpe:/a:openssl:openssl:*:*:*:*:*:*:*:* (Version >= 1.1.1

    • Configuration 2:
  • cpe:/a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apache:http_server:2.4.37:*:*:*:*:*:*:*
  • AND
  • cpe:/o:ibm:i:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_build_forge:8.0.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_build_forge:8.0.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_build_forge:8.0.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_build_forge:8.0.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_build_forge:8.0.0.10:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.bionic:def:20190190000
    V
    		CVE-2019-0190 on Ubuntu 18.04 LTS (bionic) - medium.
    2019-01-30
    oval:com.ubuntu.cosmic:def:201901900000000
    V
    		CVE-2019-0190 on Ubuntu 18.10 (cosmic) - medium.
    2019-01-30
    oval:com.ubuntu.cosmic:def:20190190000
    V
    		CVE-2019-0190 on Ubuntu 18.10 (cosmic) - medium.
    2019-01-30
    oval:com.ubuntu.bionic:def:201901900000000
    V
    		CVE-2019-0190 on Ubuntu 18.04 LTS (bionic) - medium.
    2019-01-30
    oval:com.ubuntu.trusty:def:20190190000
    V
    		CVE-2019-0190 on Ubuntu 14.04 LTS (trusty) - medium.
    2019-01-30
    oval:com.ubuntu.xenial:def:201901900000000
    V
    		CVE-2019-0190 on Ubuntu 16.04 LTS (xenial) - medium.
    2019-01-30
    oval:com.ubuntu.xenial:def:20190190000
    V
    		CVE-2019-0190 on Ubuntu 16.04 LTS (xenial) - medium.
    2019-01-30
    BACK
    apache http server 2.4.37
    openssl openssl *
    oracle enterprise manager ops center 12.3.3
    oracle hospitality guest access 4.2.0
    oracle hospitality guest access 4.2.1
    oracle instantis enterprisetrack 17.1
    oracle instantis enterprisetrack 17.2
    oracle instantis enterprisetrack 17.3
    oracle retail xstore point of service 7.0
    oracle retail xstore point of service 7.1
    apache http server 2.4.37
    ibm i 7.3
    oracle retail xstore point of service 7.0
    oracle retail xstore point of service 7.1
    ibm rational build forge 8.0.0.6
    oracle instantis enterprisetrack 17.1
    oracle instantis enterprisetrack 17.2
    ibm rational build forge 8.0.0.7
    ibm rational build forge 8.0.0.8
    oracle instantis enterprisetrack 17.3
    ibm rational build forge 8.0.0.9
    ibm rational build forge 8.0.0.10