Sunday, July 14, 2024
EHA

Critical Security Flaws with Apache HTTP Server Let Hackers Execute Arbitrary Code Remotely

An urgent update has been released (Apache HTTP Server 2.4.52) recently by the Apache Software Foundation to resolve critical vulnerabilities in its Apache HTTP Server. 

The discovered vulnerability was marked as critical and it could be exploited by the threat actors to take control of a vulnerable system. 

Apart from this, even CISA, the U.S. government’s security response agency has also requested open-source community users to immediately update their old vulnerable version with the latest one.

Flaws Forced to Release Update

Here we have mentioned the flaws that have forced to release an urgent update with the patch:-

  • CVE ID: CVE-2021-44790
  • Description: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier.
  • Severity: Critical
  • CVSS: 9.8
  • CVE ID: CVE-2021-44224
  • Description: Possible NULL dereference or SSRF in forwarding proxy configurations in Apache HTTP Server 2.4.51 and earlier.
  • Severity: High
  • CVSS: 8.2

While the latest GA release of the new generation 2.4.x branch of Apache HTTPD is the newly released version that is Apache HTTP Server 2.4.52, and Apache has recommended all the users to immediately update all the prior versions.

Here’s what the foundation stated:-

“A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).”

Where to download?

If you want to download the most recent version of Apache HTTP Server, version 2.4.52 then you can visit the here, as it’s the official download channel of Apache foundation.

Moreover, in the list of known exploited vulnerabilities, these security flaws are identified by the cybersecurity experts, and all these are maintained by the U.S. government’s security response agency CISA.

Website

Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles