Brief description of the vulnerability
On December 23, 2021, 360CERT monitoring found that Apache officially released a security notice , fixing multiple vulnerabilities, which contains the following vulnerability numbers: CVE-2021-44224, CVE-2021-44790, vulnerability level: High Risk, vulnerability score: 8.2.
Apache HTTP Server is an open source web server from the Apache Software Foundation that can run in most computer operating systems and is one of the most popular web server-side software due to its multi-platform and security being widely used.
In this regard, 360CERT recommends all users to upgrade Apache HTTP Server to the latest version in time. At the same time, please do a good job of asset self-examination as well as prevention to avoid hacker attacks.
Risk Level
The 360CERT rating for this vulnerability is as follows
| Rating | Rating |
|---|---|
| threat level | high risk |
| Impact | Widespread |
| Attacker value | high |
| Exploitation difficulty | Medium |
| 360CERT score | 8.2 |
Impacted Versions
| components | affected versions | security versions |
|---|---|---|
| Apache HTTP Server | <= 2.4.51 | 2.4.52 |
Vulnerability details
CVE-2021-44224: Apache HTTP Server Server-side Request Forgery Vulnerability
- CVE: CVE-2021-44224
- Component: Apache HTTP Server
- Vulnerability Type: Server-side Request Forgery
- Impact: Server-side request forgery
简述: Because the Apache HTTP Server forwarding agent configuration does not adequately validate user-supplied input, a remote attacker can send maliciously constructed HTTP requests, which can lead to null pointer references and server-side request forgery risks, and use the vulnerability to access the server-side internal network.
CVE-2021-44790: Apache HTTP Server Buffer Overflow Vulnerability
- CVE: CVE-2021-44790
- Component: Apache HTTP Server
- Vulnerability Type: Buffer Overflow
- Impact: Arbitrary code execution
Short Description: Due to a boundary error in the mod_lua multipart parser (r:parsebody() called from a Lua script), a remote attacker could send a maliciously constructed HTTP request that could result in a buffer overflow and, in turn, execute arbitrary code on the target server. However, this module is not enabled by default, and Apache HTTP Server without this module enabled is not affected by this vulnerability.
Patching suggestions
Troubleshoot and upgrade to a secure version based on the information in the affected version
Download link: https://httpd.apache.org/download.cgi#apache24
Timeline
- 2021-12-21 Apache official release notice
- 2021-12-23 360CERT issued a notice