In the past few days, big tech media outlets rotated a news item about a vulnerability in the Apache Web Server – CVE-2019-0211. Apache powers more than 40% of the Internet and is the most popular web server today. You can check the following article on Ars Technica for example.
All articles we saw mentioned that the bug is particularly bad for shared hosting providers. This may be the case for some, but ICDSoft’s hosting environment is protected from such exploits by design.
This is a privilege escalation bug. It theoretically allows unprivileged scripts, usually run by Apache with lowered privileges, to take over the main Apache process. In some environments, the main Apache process may be running as root, which in turn would allow the unprivileged script to gain root access.
We have heard the same tune many times – shared hosting providers are insecure and you should be using a VPS. Our practice as a shared hosting provider for over 18 years has shown exactly the opposite, and this bug proves it. Here is why:
- ICDSoft’s servers were never vulnerable to this bug. It affects only badly configured servers. In this case, we are protected by a security mechanism called SuExec.
- ICDSoft’s system administrators were updating the servers with the provided patches (which were largely unneeded in our case) even before the big news outlets posted the news.
If you check only the headlines, you may get only a part of the picture. This is also the case with the following post, which popularized the bug in the security circles:
However, scrolling down the thread reveals the truth – properly secured setups are unaffected:
So, if you are reading the news and are concerned about shared hosting, don’t be. At least if you are using ICDSoft.