Brief description of the vulnerability

On December 23, 2021, 360CERT monitoring found that Apache officially released a security notice , fixing multiple vulnerabilities, which contains the following vulnerability numbers: CVE-2021-44224, CVE-2021-44790, vulnerability level: High Risk, vulnerability score: 8.2.

Apache HTTP Server is an open source web server from the Apache Software Foundation that can run in most computer operating systems and is one of the most popular web server-side software due to its multi-platform and security being widely used.

In this regard, 360CERT recommends all users to upgrade Apache HTTP Server to the latest version in time. At the same time, please do a good job of asset self-examination as well as prevention to avoid hacker attacks.

Risk Level

The 360CERT rating for this vulnerability is as follows

Rating Rating
threat level high risk
Impact Widespread
Attacker value high
Exploitation difficulty Medium
360CERT score 8.2

Impacted Versions

components affected versions security versions
Apache HTTP Server <= 2.4.51 2.4.52

Vulnerability details

CVE-2021-44224: Apache HTTP Server Server-side Request Forgery Vulnerability

  • CVE: CVE-2021-44224
  • Component: Apache HTTP Server
  • Vulnerability Type: Server-side Request Forgery
  • Impact: Server-side request forgery

简述: Because the Apache HTTP Server forwarding agent configuration does not adequately validate user-supplied input, a remote attacker can send maliciously constructed HTTP requests, which can lead to null pointer references and server-side request forgery risks, and use the vulnerability to access the server-side internal network.

CVE-2021-44790: Apache HTTP Server Buffer Overflow Vulnerability

  • CVE: CVE-2021-44790
  • Component: Apache HTTP Server
  • Vulnerability Type: Buffer Overflow
  • Impact: Arbitrary code execution

Short Description: Due to a boundary error in the mod_lua multipart parser (r:parsebody() called from a Lua script), a remote attacker could send a maliciously constructed HTTP request that could result in a buffer overflow and, in turn, execute arbitrary code on the target server. However, this module is not enabled by default, and Apache HTTP Server without this module enabled is not affected by this vulnerability.

Patching suggestions

Troubleshoot and upgrade to a secure version based on the information in the affected version

Download link: https://httpd.apache.org/download.cgi#apache24

Timeline

  • 2021-12-21 Apache official release notice
  • 2021-12-23 360CERT issued a notice

https://httpd.apache.org/security/vulnerabilities_24.html