Severe remote code execution vulnerability in Apache HTTP Server

The developers of the Apache Software Foundation announced the release of a new version of Apache HTTP Server, hoping to fully address a newly detected critical vulnerability that would allow remote code execution in affected deployments.

In this regard, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert urgently requesting Apache HTTP Server users updating to v2.4.52 as soon as possible.

This update contains patches for CVE-2021-44790 and CVE-2021-44224, two flaws that would allow threat actors to take full control of an affected deployment. On the most severe of these flaws, Apache mentions: “A carefully designed request body can cause a buffer overflow in the multipart parser mod_lua (r: parsebody() called from Lua scripts).” So far there are no known cases of active exploitation of CVE-2021-44790.

Moreover, Apache describes CVE-2021-44224 as “a moderate-risk NULL pointer dereference that could lead to a server-side request forgery (SSRF) attack.” Because of this, a specially crafted URI sent to httpd configured as a forward proxy can cause a crash or, for configurations that mix forward and reverse proxy declarations, can allow requests to be directed to a declared UNIX domain socket endpoint.

This year has been very active in detecting security flaws in Apache HTTP Server; just a few weeks ago, CISA warned of a bug identified as CVE-2021-40438 and whose exploitation would allow malicious hackers to deploy server-side request forgery attacks. This flaw has already been exploited in the wild, so it remains a problem for Apache administrators.

While attempts to exploit this flaw are not an extended issue for all iterations of Apache HTTP Server, users of affected deployments are advised to stay on top of the latest update patches released by the foundation.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.