Developers fix multitude of vulnerabilities in Apache HTTP Server

guest · Sep 24, 2021

Developers fix multitude of vulnerabilities in Apache HTTP Server
High-impact SSRF and request smuggling bugs among flaws addressed in bumper patch cycle
September 24, 2021
https://portswigger.net/daily-swig/developers-fix-multitude-of-vulnerabilities-in-apache-http-server

Numerous vulnerabilities have been identified and fixed in Apache HTTP Server 2.4, including high-impact server-side request forgery (SSRF) and request smuggling bugs.

The Apache HTTP Server Project is a collaborative project to develop and maintain an open source software-based HTTP server for modern operating systems including UNIX and Windows. The technology is claimed to be the most popular web server on the internet.
Click to expand...

A high-severity vulnerability with a CVSS score of 8.1, CVE-2021-40438, was discovered by the Apache HTTP security team. The security flaw allows a remote attacker to perform SSRF attacks, and stems from insufficient validation of user-supplied input within the mod proxy module.
Meanwhile, CVE-2021-33193, rated as a moderate severity vulnerability, was reported by PortSwigger security researcher James Kettle on May 11.

Patches issued on 16 September resolves these vulnerabilities, along with three others. These include a medium-severity NULL pointer dereference error, a boundary condition in module mod proxy uwsgi that could trigger a denial of service (system crash) condition and a low impact flaw only involving third party modules.
Click to expand...

All five flaws are resolved with HTTP Server 2.4.49.
Check out Apache’s release notes for full details, here.
Click to expand...

guest · Dec 6, 2021

Experts warn of attacks exploiting CVE-2021-40438 flaw in Apache HTTP Server
November 29, 2021

Threat actors are exploiting a recently addressed server-side request forgery (SSRF) vulnerability, tracked as CVE-2021-40438, in Apache HTTP servers.

The CVE-2021-40438 flaw can be exploited against httpd web servers that have the mod_proxy module enabled. A threat actor can trigger the issue using a specially crafted request to cause the module to forward the request to an arbitrary origin server.
The vulnerability was patched in mid-September with the release of version 2.4.49, it impacts version 2.4.48 and earlier.
Click to expand...

Since the public disclosure of the vulnerability, several PoC exploits for CVE-2021-40438 have been published.

Now experts from Germany’s Federal Office for Information Security (BSI) and Cisco are warning of ongoing attacks attempting to exploit the vulnerability.

“In November 2021, the Cisco PSIRT became aware of exploitation attempts of the vulnerability identified by CVE ID CVE-2021-40438.” reads the security advisory published by CISCO.
The German BSI agency also published an alert about this vulnerability, it is aware of at least one attack exploiting this vulnerability.

“The BSI is aware of at least one case in which an attacker was able to do so through exploitation the vulnerability to obtain hash values of user credentials from the victim’s system. The vulnerability affects all versions of Apache HTTP Server 2.4.48 or older.” reads the alert published by the BSI.
Click to expand...

Log in or Sign up

Developers fix multitude of vulnerabilities in Apache HTTP Server

guest Guest

guest Guest

Log in or Sign up

Developers fix multitude of vulnerabilities in Apache HTTP Server

guest Guest

guest Guest

Useful Searches