CVE-2019-0190 — HIGH (7.5) — White Hats Nepal

Vulnerability Description

A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bug can be only triggered with Apache HTTP Server version 2.4.37 when using OpenSSL version 1.1.1 or later, due to an interaction in changes to handling of renegotiation attempts.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Apache	Http Server	2.4.37
Openssl	Openssl	>= 1.1.1
Oracle	Enterprise Manager Ops Center	12.3.3
Oracle	Hospitality Guest Access	4.2.0
Oracle	Instantis Enterprisetrack	17.1
Oracle	Retail Xstore Point Of Service	7.0

References

FAQ

What is CVE-2019-0190?

CVE-2019-0190 is a vulnerability with a CVSS score of 7.5 (HIGH). A bug exists in the way mod_ssl handled client renegotiations. A remote attacker could send a carefully crafted request that would cause mod_ssl to enter a loop leading to a denial of service. This bu...

How severe is CVE-2019-0190?

CVE-2019-0190 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-0190?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Http Server, Openssl Openssl, Oracle Enterprise Manager Ops Center, Oracle Hospitality Guest Access, Oracle Instantis Enterprisetrack.