CVE-2019-0190
high-risk
Published 2019-01-30
A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.
Do I need to act?
!
17.4% chance of exploitation in next 30 days
EPSS score — higher than 83% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (9)
References (40)
Third Party Advisory
http://www.securityfocus.com/bid/106743
Vendor Advisory
https://httpd.apache.org/security/vulnerabilities_24.html
Third Party Advisory
https://security.gentoo.org/glsa/201903-21
Third Party Advisory
https://security.netapp.com/advisory/ntap-20190125-0001/
Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
and 20 more references
54
/ 100
high-risk
Severity
26/34 · High
Exploitability
13/34 · Low
Exposure
15/34 · Moderate