EasyApache4 2024-04-08 Maintenance and Security Release

cPanel, L.L.C. has released an update for EasyApache 4!  Take a look at some highlights below, and then join us on the cPanel Community Forums, Discord, or Reddit to talk about this update and much more. If you have additional questions, feel free to reach out on one of our social channels.

• ea-apache24
  • EA-12070: Update ea-apache2 from v2.4.58 to v2.4.59
    • low: Apache HTTP Server: HTTP Response Splitting in multiple modules (CVE-2024-24795)
    • moderate: Apache HTTP Server: HTTP/2 DoS by memory exhaustion on endless continuation frames (CVE-2024-27316)
    • moderate: Apache HTTP Server: HTTP response splitting (CVE-2023-38709)

• ea-nodejs20
  • EA-12068: Update ea-nodejs20 from v20.12.0 to v20.12.1
    • CVE-2024-27983 – Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
    • CVE-2024-27982 – HTTP Request Smuggling via Content Length Obfuscation – (Medium)

• ea-nodejs18
  • EA-12067: Update ea-nodejs18 from v18.20.0 to v18.20.1
    • CVE-2024-27983 – Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
    • CVE-2024-27982 – HTTP Request Smuggling via Content Length Obfuscation – (Medium)

• ea-nghttp2
  • EA-12069: Update ea-nghttp2 from v1.60.0 to v1.61.0
    • CVE-2024-28182: Reading unbounded number of HTTP/2 CONTINUATION frames to cause excessive CPU usage

• ea-profiles-cpanel
  • ZC-11574: Set epoch to `5` to coordinate w/ Cloudlinux’s fixes

• ea-tomcat85
  • EA-11588: Mark ea-tomcat85 as EOL

SUMMARY

cPanel, L.L.C. has updated packages for EasyApache 4 with ea-apache24 v2.4.59, ea-nodejs20 v20.12.1, ea-nodejs18 v18.20.1, and ea-nghttp2 v1.61.0. This release addresses vulnerabilities related to CVE-2024-24795, CVE-2024-27316, CVE-2023-38709, CVE-2024-27983, CVE-2024-27982, and CVE-2024-28182. We strongly encourage all users to upgrade to the latest versions of these packages.

AFFECTED VERSIONS
All versions of ea-apache24 through 2.4.58.
All versions of ea-nodejs18 through 18.20.0.
All versions of ea-nodejs20 through 20.12.0.
All versions of ea-nghttp2 through 1.60.0.

SECURITY RATING
The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:

CVE-2024-24795 – LOW
ea-apache24 2.4.59
Fixed vulnerability related to CVE-2024-24795.

CVE-2024-27316 – MODERATE
ea-apache24 2.4.59
Fixed vulnerability related to CVE-2024-27316.

CVE-2023-38709 – MODERATE
ea-apache24 2.4.59
Fixed vulnerability related to CVE-2023-38709.

CVE-2024-27983 – HIGH
CVE-2024-27982 – MEDIUM
ea-nodejs18 18.20.0
ea-nodejs20 20.12.0
Fixed vulnerabilities related to CVE-2024-27982 and CVE-2024-27983.

CVE-2024-28182 – MODERATE
ea-nghttp2 1.61.0
Fixed vulnerability related to CVE-2024-28182.

SOLUTION
cPanel, L.L.C. has released updated packages for EasyApache 4 on April 8, 2024, with ea-apache24 v2.4.59, ea-nodejs20 v20.12.1, ea-nodejs18 v18.20.1, and ea-nghttp2 v1.61.0. Unless you have enabled automatic package updates in your cron, update your system with either your package manager or WHM’s Run System Update interface.

REFERENCES
https://httpd.apache.org/security/vulnerabilities_24.html
https://nodejs.org/en/blog/vulnerability/april-2024-security-releases
https://www.cve.org/CVERecord?id=CVE-2024-28182

https://news.cpanel.com/wp-content/uploads/2024/04/EA4-2024-4-3-CVE.signed-1.txt

Information about all releases this year can be found in the 2024 EasyApache 4 Changelog and the EasyApache 4 Release Notes.