LENA 보안 업데이트 리포트(security fix#20190430)

LENA 1.2.0-5 security fix#20190430

개선된 취약점

LENA WEB Server

• CVE-2019-0211, CVE-2019-0217, CVE-2019-0215, CVE-2019-0197, CVE-2019-0196, CVE-2019-0220
• CVE-2019-0190, CVE-2018-17199, CVE-2018-17189
• CVE-2018-11763
• CVE-2018-1333, CVE-2018-8011

LENA WAS Server

• CVE-2019-0232, CVE-2018-11784

주요 취약점 (KISA 신규 취약점 보안 업데이트 권고)

N/A

보안 취약점 상세 정보

LENA WEB Server

CVE IDs	영향도	취약점유형	내용	LENA 반영 버전
CVE-2019-0211	important	Permissions, Privileges, and Access Control	HTTP Server privilege escalation from modules' scripts	1.2.5 (fix#2), 1.3.0
CVE-2019-0217	important	Race Conditions	mod_auth_digest access control bypass	1.2.5 (fix#2), 1.3.0
CVE-2019-0215	important	Improper Access Control	mod_ssl access control bypass	1.2.5 (fix#2), 1.3.0
CVE-2019-0197	low	N/A	mod_http2, possible crash on late upgrade	1.2.5 (fix#2), 1.3.0
CVE-2019-0196	low	N/A	mod_http2, read-after-free on a string compare	1.2.5 (fix#2), 1.3.0
CVE-2019-0220	low	N/A	Apache httpd URL normalization inconsistincy	1.2.5 (fix#2), 1.3.0
CVE-2019-0190	important	Input Validation	mod_ssl 2.4.37 remote DoS when used with OpenSSL 1.1.1	1.2.5 (fix#2), 1.3.0
CVE-2018-17199	low	Session Fixation	mod_session_cookie does not respect expiry time	1.2.5 (fix#2), 1.3.0
CVE-2018-17189	low	Uncontrolled Resource Consumption	DoS for HTTP/2 connections via slow request bodies	1.2.5 (fix#2), 1.3.0
CVE-2018-1333	low	Resource Management Errors	DoS for HTTP/2 connections by crafted requests	1.2.5 (fix#2), 1.3.0
CVE-2018-8011	moderate	NULL Pointer Dereference	mod_md, DoS via Coredumps on specially crafted requests	1.2.5 (fix#2), 1.3.0

LENA WAS Server

CVE IDs	영향도	취약점유형	내용	LENA 반영 버전
CVE-2019-0232	Important	Input Validation	Remote Code Execution on Windows	1.2.5 (fix#2), 1.3.0
CVE-2018-11784	Moderate	URL Redirection to Untrusted Site ('Open Redirect')	Open Redirect	1.2.5 (fix#2), 1.3.0