Cybersecurity specialists report the detection of multiple vulnerabilities in Apache HTTP Server. According to the report, successful exploitation of these flaws would allow threat actors to deploy remote attacks against exposed deployments.
Below are brief descriptions of the reported flaws, in addition to their respective identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-44790: A limit error when parsing multi-party content in mod_lua would allow remote threat actors to send specially crafted HTTP requests to the affected web server, trigger a buffer overflow, and execute arbitrary code on the compromised system.
This is a critical flaw and received a CVSS score of 8.7/10, as its successful exploitation would put the affected system at total risk.
CVE-2021-44224: Moreover, this flaw exists due to insufficient validation of user-provided input in forward proxy configurations. Remote threat actors could send specially crafted HTTP requests and trick the web server into initiating requests to arbitrary systems or force a block from the web server.
This is a flaw of medium severity and received a CVSS score of 6.3/10. Hackers could deploy a server-side request forgery (SSRF) attack for configurations that combine direct and reverse proxy.
According to the report, the vulnerabilities reside in the following apache HTTP Server versions: 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.4.14, 2.4.15, 2.4.16, 2.4.17, 2.4.18, 2.4.19, 2.4.20, 2.4.21, 2.4.22, 2.4.23, 2.4.24, 2.4.25, 2.4.26, 2.4.27, 2.4.28, 2.4.29, 2.4.32, 2.4.33, 2.4.34, 2.4.35, 2.4.36, 2.4.37, 2.4.38, 2.4.39, 2.4.40, 2.4.41, 2.4.42, 2.4.43, 2.4.44, 2.4.45, 2.4.46, 2.4.47, 2.4.48, 2.4.49, 2.4.50 & 2.4.51.
Even though flaws can be exploited remotely by unauthenticated threat actors, cybersecurity experts have not detected active exploitation attempts. Still, users of affected deployments are encouraged to upgrade as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
