Apache Releases Security Update for Apache HTTP Server 2.4

Apache releases update which fixes vulnerabilities in Apache HTTP Server 2.4

Threat ID:: CC-4000
Threat Severity:: Information only
Published:: 30 December 2021 10:46 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Apache releases update which fixes vulnerabilities in Apache HTTP Server 2.4

Affected platforms

The following platforms are known to be affected:

Versions: All prior to 2.4.52

Apache HTTP Server

Threat details

Introduction

The Apache Software Foundation has released Apache HTTP Server 2.4.52 which address vulnerabilities CVE-2021-44790 and CVE-2021-44224.

CVE-2021-44790, rated by Apache as high and with a critical CVSSv3 rating of 9.8, could allow a crafted request body to cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). A remote attacker could exploit this vulnerability to take control of an affected system.

CVE-2021-44224 is rated by Apache as moderate and has a high CVSSv3 rating of 8.2. This vulnerability could allow a crafted URI, under certain conditions, to cause a crash (NULL pointer dereference) or allow Server Side Request Forgery by directing requests to a declared Unix Domain Socket endpoint.

Remediation advice

Affected organisations are encouraged to review the Apache HTTP Server 2.4 security advisory page and announcement, and apply the necessary update.

Definitive source of threat updates

https://httpd.apache.org/security/vulnerabilities_24.html

CVE Vulnerabilities

Status Published

CVE-2021-44790

Status Published

CVE-2021-44224

Last edited: 30 December 2021 11:11 am