CVE-2024-40725 & CVE-2024-40898: Apache HTTP Server Flaws Put Millions of Websites at Risk
The Apache Software Foundation has issued a security advisory regarding two critical vulnerabilities, CVE-2024-40725 and CVE-2024-40898, affecting Apache HTTP Server versions 2.4.0 through 2.4.61. These flaws pose significant risks to web servers worldwide, potentially leading to source code disclosure and server-side request forgery (SSRF) attacks.
CVE-2024-40725: Source Code Disclosure via Handlers Configured with AddType
This vulnerability is a partial fix regression for a previous issue, CVE-2024-39884, which was thought to be resolved in version 2.4.61. However, attackers can still exploit certain legacy configuration settings to expose sensitive source code, including PHP scripts that should be executed instead of displayed. This flaw could reveal confidential information and compromise server integrity.
CVE-2024-40898: SSRF with mod_rewrite on Windows
This SSRF vulnerability specifically targets Apache HTTP Server on Windows systems. When combined with mod_rewrite configurations in server or virtual host contexts, attackers can potentially extract NTML hashes from the server. These hashes can be used to gain unauthorized access or launch further attacks on the network.
Mitigation and Urgent Upgrade
The widespread use of Apache HTTP Server amplifies the impact of these vulnerabilities. From small businesses to large enterprises, countless websites and applications rely on this software to power their online presence. The potential for exploitation is vast, and the consequences could be far-reaching. Cybercriminals could use these vulnerabilities to gain a foothold in systems, steal sensitive data, deface websites, or even launch ransomware attacks.
The Apache Software Foundation strongly recommends that all users upgrade to version 2.4.62 immediately. This update addresses both vulnerabilities and provides essential protection against potential attacks. Delaying the upgrade could leave web servers exposed to serious security risks.
