Apache Fix Two Severe Vulnerability in Apache HTTP Server [Update Now]

After the critical Remote Code Execution vulnerability found in the Apache Log4j logging library, another High severity vulnerability was patched by the Apache team in a different product.

Recently, Apache HTTP Server released a security update that fixes server-side request forgery (SSRF) and buffer overflow vulnerabilities in Apache HTTP Server. Attackers can use these vulnerabilities to carry out server-side request forgery and buffer overflow attacks. 

Apache HTTP Server is a multi-modular server. After many modifications, it has become the world's number one Web server software. It can run on almost all widely used computer platforms. The Apache server is characterized by simple use, fast speed, stable performance, and can be used as a load balancing and proxy server.

Vulnerability Description

Apache HTTP Server SSRF vulnerability

The server-side request forgery (SSRF) vulnerability tracked as CVE-2021-44224 is been marked with moderate severity. The vulnerability exists due to insufficient verification of the input provided by the user in the forward proxy configuration. A remote attacker can send a specially crafted HTTP request and trick the Web server to initiate a request to any system or cause a NULL pointer to dereference error and crash the Web server. Successful exploitation of this vulnerability could allow remote attackers to access sensitive data located in the local network or send malicious requests from vulnerable systems to other servers. This issue affects Apache HTTP Server 2.4.7 up to 2.4.51

Apache HTTP Server buffer overflow vulnerability

The buffer overflow vulnerabilities in Apache HTTP Server tracked as CVE-2021-44790 is been marked high severity. The vulnerability exists due to boundary errors when parsing multipart content in mod_lua. A remote attacker can send a specially crafted HTTP request to the affected Web server, trigger a buffer overflow and execute arbitrary code on the target system.

CVE	Vulnerability type	Severity	In-Wild	Exploit
CVE-2021-44224	SSRF vulnerability	Moderate	Unknown	Unknown
CVE-2021-44790	Buffer overflow	High Risk	Unknown	Unknown

Patch your Apache HTTP Server, before it gets Dirty

At the time of writing there is no evidence that both the above vulnerability has been exploited in wild, neither there is any exploit nor PoC has been released. 

Apache team has released an update to fix the vulnerability. We strongly recommend every user should update to the secure version of Apache HTTP Server 2.4.52 as soon as possible.

Last month, the Apache team have patched a critical path traversal vulnerability dubbed CVE-2021-41773 which affects the Apache HTTP server version 2.4.49 and Remote Code Execution in Apache HTTP (CVE-2021-42013) version 2.4.50. Both these flaws is been exploited in wild as soon as the security community released the exploit code on the internet.