Critical Security Flaws with Apache HTTP Server Let Hackers Execute Arbitrary Code Remotely

An urgent update has been released (Apache HTTP Server 2.4.52) recently by the Apache Software Foundation to resolve critical vulnerabilities in its Apache HTTP Server. 

The discovered vulnerability was marked as critical and it could be exploited by the threat actors to take control of a vulnerable system. 

Apart from this, even CISA, the U.S. government’s security response agency has also requested open-source community users to immediately update their old vulnerable version with the latest one.

Flaws Forced to Release Update

Here we have mentioned the flaws that have forced to release an urgent update with the patch:-

  • CVE ID: CVE-2021-44790
  • Description: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier.
  • Severity: Critical
  • CVSS: 9.8
  • CVE ID: CVE-2021-44224
  • Description: Possible NULL dereference or SSRF in forwarding proxy configurations in Apache HTTP Server 2.4.51 and earlier.
  • Severity: High
  • CVSS: 8.2

While the latest GA release of the new generation 2.4.x branch of Apache HTTPD is the newly released version that is Apache HTTP Server 2.4.52, and Apache has recommended all the users to immediately update all the prior versions.

Here’s what the foundation stated:-

“A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).”

Where to download?

If you want to download the most recent version of Apache HTTP Server, version 2.4.52 then you can visit the here, as it’s the official download channel of Apache foundation.

Moreover, in the list of known exploited vulnerabilities, these security flaws are identified by the cybersecurity experts, and all these are maintained by the U.S. government’s security response agency CISA.

Leave a Reply