Apache HTTP Server CVE-2021-44224, CVE-2021-44790 Vulnerabilities Alert

On December 20, 2021, Apache officially issued a security notice to fix multiple vulnerabilities. The vulnerability numbers included are: CVE-2021-44224, CVE-2021-44790, vulnerability level is a high risk.

The Apache HTTP Server is a free and open-source cross-platform web server software, released under the terms of Apache License 2.0. Apache is developed and maintained by an open community of developers under the auspices of the Apache Software Foundation. It can run on most computer operating systems. It is widely used due to its multi-platform and security. It is one of the most popular web server-side software.

Vulnerability Details

CVE-2021-44224: Possible NULL dereference or SSRF in forward proxy configurations

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery).

Affected version

Apache HTTP Server: >=2.4.7, <=2.4.51

CVE-2021-44790: Possible buffer overflow when parsing multipart content in mod_lua

A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). But this module is not enabled by default, and Apache HTTP Server without this module is not affected by this vulnerability.

Affected version

Apache HTTP Server <=2.4.51

Solution

In this regard, we recommend that users upgrade Apache HTTP Server to the 2.4.52 version in time.

Tags: CVE-2021-44224 CVE-2021-44790