← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:121355 · Disclosed 2019-01-22

Apache 2

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is less a wide-open front door and more three separate side windows that only matter if you actually built them

Tenable plugin 121355 fires on Apache HTTP Server versions below 2.4.38, but it is really a bundle of three different issues fixed by the 2019-02-28 upstream release. CVE-2018-17189 is an HTTP/2 slow-body thread exhaustion bug that only matters when mod_http2 is enabled; CVE-2018-17199 is a mod_session_cookie expiry-handling flaw affecting 2.4.37 and earlier; and CVE-2019-0190 is a mod_ssl renegotiation DoS that only affects exactly 2.4.37 when paired with OpenSSL 1.1.1 or later.

The vendor's HIGH label is too generous for most estates because the reachable population collapses fast once you account for optional modules, exact-version gating, and banner-based detection. This is not a one-shot pre-auth RCE across generic Apache exposure; it is mostly conditional DoS plus one niche session-integrity bug, so in real enterprise patch queues it belongs in the middle tier unless you confirm those modules are exposed on internet-facing systems.

"This is a feature-gated old-Apache bundle, not a broad internet-scale emergency."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Fingerprint a vulnerable build

The attacker first needs an Apache target older than 2.4.38, usually identified via the Server banner, TLS fingerprinting, or asset inventory leakage. Tenable itself states this plugin is version-driven and does not validate exploitability, so the first practical step for both attacker and defender is confirming whether the instance is a raw upstream build or a distro-backported package.
Conditions required:
  • Target is running Apache HTTP Server below 2.4.38 or at least advertises that version
  • Banner or package metadata is visible enough to infer release lineage
Where this breaks in practice:
  • Many enterprise Linux packages backport fixes without changing the base upstream version string
  • Version-only detections overcount risk when Apache is vendor-maintained by Debian, Ubuntu, RHEL, or similar distros
Detection/coverage: Nessus plugin 121355 is banner-based only. CMDB/SBOM/package-manager data is more trustworthy than unauthenticated scans here.
STEP 02

Find the right feature gate

The attacker then needs one of three optional exposure paths. CVE-2018-17189 requires mod_http2; CVE-2018-17199 requires mod_session_cookie; and CVE-2019-0190 requires exactly Apache 2.4.37 with mod_ssl plus OpenSSL 1.1.1+.
Conditions required:
  • mod_http2 enabled for the HTTP/2 DoS path
  • mod_session_cookie enabled for the session-expiry path
  • Apache 2.4.37 with OpenSSL 1.1.1+ for the renegotiation DoS path
Where this breaks in practice:
  • mod_http2 is optional and must be built/enabled explicitly
  • mod_session_cookie is not a universal deployment pattern in enterprise web estates
  • The mod_ssl bug does not broadly hit all <2.4.38 builds; it is pinned to a narrow version-and-library combination
Detection/coverage: Authenticated checks should verify loaded modules via apachectl -M / httpd -M and OpenSSL linkage. Internet scanners generally do not see this feature state cleanly.
STEP 03

Trigger the selected flaw with commodity tooling

For CVE-2018-17189, a slow HTTP/2 request body sent with tooling such as nghttp, curl --http2, or custom Slowloris-style scripts can pin worker cleanup threads. For CVE-2018-17199, the attacker reuses an expired-but-still-accepted session cookie if the application relies on mod_session_cookie expiry enforcement. For CVE-2019-0190, crafted renegotiation traffic abuses the mod_ssl handling path and can wedge the service.
Conditions required:
  • Internet or network reachability to the Apache listener
  • No upstream reverse proxy normalizing or terminating the relevant traffic path
  • Application logic actually depends on Apache-side session expiry for the cookie issue
Where this breaks in practice:
  • Reverse proxies, CDNs, or load balancers often terminate HTTP/2 or TLS before Apache sees hostile traffic
  • Many apps implement their own session lifecycle, reducing the real impact of the cookie-expiry bug
  • DoS impact varies with worker counts, front-end buffering, and traffic management
Detection/coverage: Look for spikes in slow HTTP/2 streams, abnormal thread utilization, renegotiation anomalies, and reuse of stale session identifiers. WAF/CDN telemetry is often better than host-only logs for the HTTP/2 path.
STEP 04

Land impact

The realistic end state is service degradation or a narrow authentication/session control failure, not broad host takeover. Even the highest-scored CVE in the bundle (CVE-2018-17199) is an integrity problem tied to a specific session module, while the others are availability issues with clear deployment prerequisites.
Conditions required:
  • Feature gate and request path both remain exposed end-to-end
  • No front-end rate limiting, buffering, or protocol offload neutralizes the request pattern
Where this breaks in practice:
  • No RCE or generic data-exfil path is documented for this bundle
  • Blast radius is typically one web tier or one app's session handling, not instant domain-wide compromise
Detection/coverage: Capacity monitoring, Apache error logs, and proxy-layer telemetry should catch the DoS patterns; session anomalies are harder and usually need app or auth log correlation.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo strong public evidence of active exploitation for this bundle surfaced in the reviewed sources. Tenable marks Exploit Ease: No known exploits are available, and the reviewed CISA KEV catalog does not list CVE-2018-17189, CVE-2018-17199, or CVE-2019-0190.
Public PoC availabilityNo well-known weaponized repo stood out in the reviewed sources. The primitives are simple enough to reproduce with commodity tools like nghttp or curl --http2, but this is not a famous exploit-kit bug.
EPSSAccessible FIRST-wrapped feeds show low-to-moderate exploit probability rather than breakout risk: Feedly shows CVE-2019-0190 at 1.26% EPSS / 84th percentile, CVE-2018-17189 at 0.41% / 70.8th percentile, and CVE-2018-17199 at 0.18% / 54.3rd percentile.
KEV statusNot KEV-listed in the reviewed CISA catalog. That matters because there is no authoritative federal signal here that the bugs are being exploited at scale.
CVSS reality checkThe plugin inherits its top-line severity from CVE-2018-17199 at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), but that score assumes the vulnerable mod_session_cookie workflow is actually in play. The two other bundled CVEs are DoS-only and materially more conditional.
Affected versionsTenable flags Apache <2.4.38. Upstream scope is narrower per-CVE: CVE-2018-17189 and CVE-2018-17199 affect 2.4.37 and earlier, while CVE-2019-0190 only affects Apache 2.4.37 with OpenSSL 1.1.1+.
Fixed versionsUpstream fix point is Apache HTTP Server 2.4.38. Debian also backported fixes into older package lines such as stretch via apache2 2.4.25-3+deb9u7, which is exactly why raw version-string checks can mislead.
Exposure/scanning realityThere is no high-confidence internet census in the reviewed sources for *these exact feature-gated paths*. What we do have is stronger: Apache's own docs confirm HTTP/2 is implemented by optional mod_http2, and Tenable confirms this plugin does not test the actual flaw paths.
Disclosure timelineApache published the vulnerable-feature details on 2019-01-22, Tenable published plugin 121355 on 2019-01-24, NVD published the bundled CVEs on 2019-01-30, and Apache released 2.4.38 on 2019-02-28.
Researchers/reportersCVE-2018-17189: Gal Goldshtein of F5 Networks. CVE-2018-17199: Diego Angulo from ImExHS. CVE-2019-0190: discovered through user bug reports per Apache; Ubuntu notes it only affects 2.4.37.
04 · The Call

noisgate verdict.

Final Verdict
= UNCHANGED to MEDIUM (4.8/10)

The decisive factor is compounded feature gating: the bundle only becomes real if the target is both old and configured with the exact module path the attacker needs. That sharply narrows the exposed population compared with a generic unauthenticated Apache flaw, even before you account for distro backports and proxy offload.

HIGH Upstream issue scope and fixed version (`2.4.38`)
HIGH Tenable detection is version-only, not exploit-path-aware
MEDIUM Real-world exploit prevalence is low based on accessible public sources

Why this verdict

  • Vendor HIGH is inflated by bundling. Tenable rolls three unrelated issues into one plugin and inherits the top score from CVE-2018-17199, even though the bundle is not uniformly reachable.
  • Feature prerequisites cut the exposed population hard. CVE-2018-17189 needs mod_http2, CVE-2018-17199 needs mod_session_cookie, and CVE-2019-0190 needs exactly 2.4.37 plus OpenSSL 1.1.1+; each prerequisite narrows the real attack surface.
  • This is mostly availability impact, not takeover. Two of the three CVEs are DoS-only, and the third is a session-expiry integrity flaw rather than code execution or broad auth bypass.
  • Attacker position is remote, but not broad-compromise remote. A remote unauthenticated attacker can hit the service, but only after the deployment has already opted into the right module stack; that is meaningful downward pressure from a 10,000-host triage perspective.
  • Detection quality is noisy. Nessus explicitly says it did not test the flaws and relied on the application's self-reported version, which means distro backports and custom packaging can create false positives or at least overstated urgency.

Why not higher?

There is no credible RCE story here, no KEV listing, and no strong public exploitation signal in the reviewed sources. The main amplifier for a HIGH or CRITICAL call would be broad pre-auth compromise across default deployments, and this bundle simply does not meet that bar.

Why not lower?

It is still remote and externally reachable where the affected modules are enabled, and one bundled issue carries real integrity impact if mod_session_cookie is part of the auth/session design. On older internet-facing Apache tiers without reverse-proxy offload, the DoS paths are operationally relevant enough that this should not be ignored entirely.

05 · Compensating Control

What to do — in priority order.

  1. Disable unused Apache modules — Turn off mod_http2 and mod_session_cookie anywhere they are not explicitly required. This is the cleanest way to collapse exposure for two of the three bundled issues, and because the reassessed verdict is MEDIUM there is no mitigation SLA — use this as exposure reduction while you work inside the 365-day remediation window.
  2. Terminate HTTP/2 and TLS upstream — Prefer CDN, reverse proxy, or load balancer termination so Apache never directly processes hostile HTTP/2 or renegotiation traffic. This is especially useful for older internet-facing estates where upgrading lags, and again there is no mitigation SLA for a MEDIUM verdict.
  3. Enforce application-side session expiry — Do not rely on Apache mod_session_cookie alone for session lifetime decisions. Have the application or IdP validate session age server-side so the cookie-expiry bug cannot silently extend a session's trust lifetime.
  4. Rate-limit slow request patterns — Use the front-end proxy, CDN, or WAF to cap slow body uploads, concurrent HTTP/2 streams, and abusive connection behavior. This will not fix the bug, but it materially reduces the practical DoS path on exposed web tiers.
What doesn't work
  • A generic EDR rollout does not solve this; these are request-path and protocol-handling issues inside the web service, not a malware-on-host problem.
  • Simply hiding the Apache version banner does not remove exposure; it only makes fingerprinting noisier while the vulnerable modules keep processing traffic.
  • A WAF alone is not a guaranteed answer for mod_session_cookie expiry misuse because the issue is server-side session handling, not obviously malicious request syntax.
06 · Verification

Crowdsourced verification payload.

Run this on the target Apache host as a local auditor or via your config-management/remote shell tooling. Invoke it as bash verify_apache_121355.sh with no arguments; root is not usually required, but elevated rights may help apachectl -M succeed on locked-down systems. The script outputs VULNERABLE, PATCHED, or UNKNOWN and intentionally returns UNKNOWN for distro-backported builds it cannot safely prove either way.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# verify_apache_121355.sh
# Best-effort verifier for Tenable plugin 121355
# Checks Apache version plus module/library gates for:
# - CVE-2018-17189 (mod_http2 DoS)
# - CVE-2018-17199 (mod_session_cookie expiry bug)
# - CVE-2019-0190 (2.4.37 + mod_ssl + OpenSSL 1.1.1+ DoS)
#
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

set -u

say() { printf '%s\n' "$1"; }

find_ctl() {
  for c in apache2ctl apachectl httpd apache2; do
    if command -v "$c" >/dev/null 2>&1; then
      echo "$c"
      return 0
    fi
  done
  return 1
}

ver_to_int() {
  # 2.4.37 -> 002004037
  local IFS=.
  local parts=($1)
  printf '%03d%03d%03d' "${parts[0]:-0}" "${parts[1]:-0}" "${parts[2]:-0}"
}

pkg_backport_patched() {
  # Minimal known-good check for Debian stretch advisory DSA-4422-1.
  # If we cannot prove a backport, return 1 and let the higher-level logic decide.
  if command -v dpkg-query >/dev/null 2>&1; then
    local pkgver
    pkgver=$(dpkg-query -W -f='${Version}' apache2 2>/dev/null || true)
    if [[ -n "$pkgver" ]]; then
      if dpkg --compare-versions "$pkgver" ge '2.4.25-3+deb9u7'; then
        return 0
      fi
    fi
  fi
  return 1
}

CTL=$(find_ctl) || { say 'UNKNOWN - Apache control binary not found'; exit 2; }

VER_LINE=$($CTL -v 2>/dev/null | head -n1 || true)
RAW_VER=$(printf '%s' "$VER_LINE" | sed -n 's/.*Apache\/\([0-9][0-9.]*\).*/\1/p')

if [[ -z "$RAW_VER" ]]; then
  say 'UNKNOWN - Could not determine Apache version'
  exit 2
fi

# Normalize to major.minor.patch
IFS=. read -r VMAJ VMIN VPAT <<< "$RAW_VER"
VMAJ=${VMAJ:-0}
VMIN=${VMIN:-0}
VPAT=${VPAT:-0}
APACHE_VER="${VMAJ}.${VMIN}.${VPAT}"
APACHE_INT=$(ver_to_int "$APACHE_VER")
FIXED_INT=$(ver_to_int '2.4.38')
TARGET_2437_INT=$(ver_to_int '2.4.37')

if pkg_backport_patched; then
  say "PATCHED - Distro package backport detected for apache2 ($(dpkg-query -W -f='${Version}' apache2 2>/dev/null))"
  exit 0
fi

if [[ "$APACHE_INT" -ge "$FIXED_INT" ]]; then
  say "PATCHED - Apache version ${APACHE_VER} is >= 2.4.38"
  exit 0
fi

MODULES=$($CTL -M 2>/dev/null || true)
if [[ -z "$MODULES" ]]; then
  MODULES=$(httpd -M 2>/dev/null || true)
fi

has_http2=0
has_session_cookie=0
has_ssl=0

printf '%s\n' "$MODULES" | grep -Eq '(^|[[:space:]])(http2_module|h2_module)' && has_http2=1
printf '%s\n' "$MODULES" | grep -Eq '(^|[[:space:]])session_cookie_module' && has_session_cookie=1
printf '%s\n' "$MODULES" | grep -Eq '(^|[[:space:]])ssl_module' && has_ssl=1

OPENSSL_AFFECTED=0
if command -v openssl >/dev/null 2>&1; then
  OSSL_VER=$(openssl version 2>/dev/null | awk '{print $2}')
  if [[ -n "$OSSL_VER" ]]; then
    OSSL_BASE=${OSSL_VER%%[a-zA-Z]*}
    if [[ $(ver_to_int "$OSSL_BASE") -ge $(ver_to_int '1.1.1') ]]; then
      OPENSSL_AFFECTED=1
    fi
  fi
fi

# Exposure logic for this specific Tenable plugin bundle.
if [[ "$has_http2" -eq 1 || "$has_session_cookie" -eq 1 ]]; then
  say "VULNERABLE - Apache ${APACHE_VER} < 2.4.38 with relevant module(s) enabled (http2=${has_http2}, session_cookie=${has_session_cookie}, ssl=${has_ssl})"
  exit 1
fi

if [[ "$APACHE_INT" -eq "$TARGET_2437_INT" && "$has_ssl" -eq 1 && "$OPENSSL_AFFECTED" -eq 1 ]]; then
  say "VULNERABLE - Apache 2.4.37 with mod_ssl and OpenSSL >= 1.1.1 matches CVE-2019-0190 conditions"
  exit 1
fi

say "UNKNOWN - Apache ${APACHE_VER} is older than 2.4.38 but this script did not prove the vulnerable module/library path; check distro backports and module config manually"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not treat plugin 121355 like a generic internet-fire RCE. First, validate which hosts are real upstream <2.4.38 builds versus distro-backported packages, then quickly identify any internet-facing systems with mod_http2, mod_session_cookie, or Apache 2.4.37 + OpenSSL 1.1.1+. Because this is a MEDIUM reassessment, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; use module disablement or proxy offload as opportunistic exposure reduction, and complete the actual vendor/package remediation within the noisgate remediation SLA of ≤365 days.

Sources

  1. Tenable Nessus Plugin 121355
  2. Apache HTTP Server 2.4 vulnerability history
  3. NVD CVE-2018-17189
  4. NVD CVE-2018-17199
  5. Ubuntu CVE-2019-0190 notes
  6. Apache HTTP/2 guide
  7. Debian DSA-4422-1 backport advisory
  8. CISA Known Exploited Vulnerabilities Catalog
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.