#34 Oh No, Its Apache HTTPD Server Bug Now

Please see, It’s got nothing to do with Log4Shell, except it may be just as far-impacted as Log4j, given apache HTTPD’s is into almost all the software projects.

Apache httpd vulnerability

Please see, It’s got nothing to do with Log4Shell, except it may be just as far-impacted as Log4j, given apache HTTPD’s is into almost all the software projects.

Don’t duck at the latest mention of Apache: Two critical bugs in its HTTP web server – HTTPD – need to be patched , lest they lead to attackers triggering denial of service (DoS) or bypassing your security policies.

Apache made headlines for logshell headlines earlier but now again in news due to two bugs in https server which is a web server.

CVE Details

Both vulnerabilities are found in Apache HTTP Server 2.4.51 and earlier. Please check below link for official CVE Details:

https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-66/Apache-Http-Server.html

  1. CVE-2021-44790
  2. CVE-2021-44224

Both of these were published on 20-12-2021.

The first issue (CVE-2021-44790) is with the function “r:parsebody” of the component “mod_lua Multipart Parser.” As the VulDB vulnerability database describes it, “manipulation with an unknown input leads to a memory-corruption vulnerability” that “is going to have an impact on confidentiality, integrity and availability.”

As per varied security agencies it is noted that the issue is reportedly easy to exploit: It is possible to launch the attack remotely. The exploitation doesn’t require any form of authentication. This could leave servers at risk of some serious hurt. You will not be exposing these bugs via your configuration, because they are part of optional run-time modules that you might not actually be using. But if you are using these modules, whether you realize it or not, you could be at risk of server crashes, data leakage or even remote code execution.”

Although technical details are known, there’s no available exploit – at least, not yet.

apache httpd

Apache Changelog

Apache published these details for the two CVEs in its changelog:

  • CVE-2021-44790: Possible buffer overflow when parsing a carefully crafted request in the mod_lua multipart parser of Apache HTTP Server 2.4.51 and earlier. Apache said that its HTTPD team hasn’t seen an exploit, but “it might be possible to craft one.”
  • CVE-2021-44224: Possible NULL dereference or Server Side Request Forgery (SSRF) in forward proxy configurations, likewise in Apache HTTP Server 2.4.51 and earlier.

An Omnipresent HTTPD server

Teknonauts noted that Apache’s big server has “more than 3,000 files totaling close to a million lOC” making it not only “a large and capable server,” but one with “Complex combinations of modules and options, making it both powerful and dangerous at the time.”

These bugs shouldn’t get lost amidst the Log4J mess. you almost certainly have Apache HTTPD in your network somewhere. Just like Log4j, HTTPD has a habit of getting itself quietly included into software projects, for example as part of an internal service that works so well that it rarely draws attention to itself, or as a component built unobtrusively into a product or service you sell that isn’t predominantly thought of as ‘containing a web server.’

That could mean that this vulnerability may also be just as far-reaching as log4j as said by Ashish Kumar Singal, Principal architect at Oracle.

We all need a Priority Patch ASAP

Teknonauts urges IT teams to address the CVEs immediately at your end, prioritizing anything that’s publicly accessible or web-facing. These assets are the ones that attackers will scan for in order to find vulnerable systems and exploit the vulnerability.

After that, security teams should then move on to assessing and addressing internal servers and applications to which only employees have access..

“The scope of impact is likely more limited than what we’ve seen recently, but that shouldn’t change the urgency with which the CVEs are patched,” we recommend. “If attackers aren’t yet in a vulnerable environment, they will be scanning the internet for vulnerable software using HTTPD. However, if the attacker has already made their initial entry and is performing activity on the environment, they will likely try to locate vulnerable internal assets. This highlights the importance of understanding how every user in your infrastructure accesses and interacts with your apps and the data stored in them.”

Still, given that “these are typical web services deployed facing the internet,” the “patch ASAP” rule yet again applies.

Continue exploring at Teknonauts.com

Leave a Reply

Your email address will not be published. Required fields are marked *