Friday, April 19, 2024

Critical Security Flaws with Apache HTTP Server Let Hackers Execute Arbitrary Code Remotely

An urgent update has been released (Apache HTTP Server 2.4.52) recently by the Apache Software Foundation to resolve critical vulnerabilities in its Apache HTTP Server. 

The discovered vulnerability was marked as critical and it could be exploited by the threat actors to take control of a vulnerable system. 

Apart from this, even CISA, the U.S. government’s security response agency has also requested open-source community users to immediately update their old vulnerable version with the latest one.

Flaws Forced to Release Update

Here we have mentioned the flaws that have forced to release an urgent update with the patch:-

  • CVE ID: CVE-2021-44790
  • Description: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier.
  • Severity: Critical
  • CVSS: 9.8
  • CVE ID: CVE-2021-44224
  • Description: Possible NULL dereference or SSRF in forwarding proxy configurations in Apache HTTP Server 2.4.51 and earlier.
  • Severity: High
  • CVSS: 8.2

While the latest GA release of the new generation 2.4.x branch of Apache HTTPD is the newly released version that is Apache HTTP Server 2.4.52, and Apache has recommended all the users to immediately update all the prior versions.

Here’s what the foundation stated:-

“A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).”

Where to download?

If you want to download the most recent version of Apache HTTP Server, version 2.4.52 then you can visit the here, as it’s the official download channel of Apache foundation.

Moreover, in the list of known exploited vulnerabilities, these security flaws are identified by the cybersecurity experts, and all these are maintained by the U.S. government’s security response agency CISA.


Latest articles

Alert! Windows LPE Zero-day Exploit Advertised on Hacker Forums

A new zero-day Local Privilege Escalation (LPE) exploit has been put up for sale...

Palo Alto ZeroDay Exploited in The Wild Following PoC Release

Palo Alto Networks has disclosed a critical vulnerability within its PAN-OS operating system, identified...

FIN7 Hackers Attacking IT Employees Of Automotive Industry

IT employees in the automotive industry are often targeted by hackers because they have...

Russian APT44 – The Most Notorious Cyber Sabotage Group Globally

As Russia's invasion of Ukraine enters its third year, the formidable Sandworm (aka FROZENBARENTS,...

SoumniBot Exploiting Android Manifest Flaws to Evade Detection

A new banker, SoumniBot, has recently been identified. It targets Korean users and is...

LeSlipFrancais Data Breach: Customers’ Personal Information Exposed

LeSlipFrancais, the renowned French underwear brand, has confirmed a data breach impacting its customer...

Cisco Hypershield: AI-Powered Hyper-Distributed Security for Data Center

Cisco has unveiled its latest innovation, Cisco Hypershield, marking a milestone in cybersecurity.This groundbreaking...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.


Mastering WAAP/WAF ROI Analysis

As the importance of compliance and safeguarding critical websites and APIs grows, Web Application and API Protection (WAAP) solutions play an integral role.
Key takeaways include:

  • Pricing models
  • Cost Estimation
  • ROI Calculation

Related Articles