Issued: Tuesday, 28 December, 2021 |
Last Revision: Tuesday, 28 December, 2021 |
Vendor: |
Product: |
Severity Level: |
A new version of Apache web server (2.4.52) has been released by The Apache Software Foundation to address the Critical and High vulnerabilities, one of which could lead to remote code execution.
It is possible to cause a buffer overflow when parsing multipart content in mod_lua of affected Apache HTTP Server via a carefully crafted request body (r:parsebody() called from Lua scripts) by exploiting vulnerability (CVE-2021-44790).
Vulnerability (CVE-2021-44224) is a NULL dereference or SSRF in forward proxy configurations of Apache HTTP Server 2.4.51 and earlier. The vulnerability is exploitable via a crafted URI, leading to crash NULL pointer dereference or Server Side Request Forgery.
CVE/Vulnerability | Description | CVSS3.0 Score |
CVE-2021-44790 | Buffer Overflow Vulnerability | 9.8 |
CVE-2021-44224 | NULL dereference or SSRF Vulnerability in forward proxy configurations | 8.2 |
Table 1: Vulnerability details
CVE/Vulnerability | Affected Product(s) |
CVE-2021-44790 | Apache HTTP Server <=2.4.51 |
CVE-2021-44224 | Apache HTTP Server >=2.4.7, <=2.4.51 |
Table 2: Vulnerable versions
Organizations are strongly encouraged to upgrade to Apache version 2.4.52 or later.
Released version mitigates both mentioned security vulnerabilities. Organization are advised assess their environment to identify the vulnerable version and take necessary action to mitigate these vulnerabilities accordingly.