Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Critical Apache HTTPD Server Bugs Could Lead to RCE, DoS

posted by janrinok on Thursday December 23 2021, @02:45AM   Printer-friendly
Security News

upstart writes:

Critical Apache HTTPD Server Bugs Could Lead to RCE, DoS:

Don't duck at the latest mention of Apache: Two critical bugs in its HTTP web server – HTTPD – need to be patched pronto, lest they lead to attackers triggering denial of service (DoS) or bypassing your security policies.

Apache, the open-source software foundation behind the Log4J logging library that's been making for so many Log4Shell headlines, on Monday put out an update to fix the two bugs in HTTPD, which is a web server that's right up there with Log4j in its ubiquity.

Both vulnerabilities are found in Apache HTTP Server 2.4.51 and earlier.

[...] In a Tuesday writeup of the two CVEs, Sophos principal security researcher Paul Ducklin said that the two bugs could leave servers at risk of some serious hurt.

"These bugs might not be exposed in your configuration, because they are part of optional run-time modules that you might not actually be using," Ducklin noted. "But if you are using these modules, whether you realize it or not, you could be at risk of server crashes, data leakage or even remote code execution."

On Monday, Apache published these details for the two CVEs in its changelog:

  • CVE-2021-44790: Possible buffer overflow when parsing a carefully crafted request in the mod_lua multipart parser of Apache HTTP Server 2.4.51 and earlier. Apache said that its HTTPD team hasn't seen an exploit, but "it might be possible to craft one."
  • CVE-2021-44224: Possible NULL dereference or Server Side Request Forgery (SSRF) in forward proxy configurations, likewise in Apache HTTP Server 2.4.51 and earlier.

On Tuesday, CERT-FR sent out an alert about the issue.

Original Submission

This discussion has been archived. No new comments can be posted.
Critical Apache HTTPD Server Bugs Could Lead to RCE, DoS | Log In/Create an Account | Top | 14 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: -1, Spam) by Anonymous Coward on Thursday December 23 2021, @03:14AM

    by Anonymous Coward on Thursday December 23 2021, @03:14AM (#1207300)

    HELLO! HELP IS ON THE WAY DEAR!

    HELP IS ON THE WAY!

  • (Score: 2, Interesting) by Anonymous Coward on Thursday December 23 2021, @03:24AM (9 children)

    by Anonymous Coward on Thursday December 23 2021, @03:24AM (#1207302)

    I thought NGINX was the "default" webserver these days.

    • (Score: 3, Interesting) by hendrikboom on Thursday December 23 2021, @04:04AM (1 child)

      by hendrikboom (1125) on Thursday December 23 2021, @04:04AM (#1207309) Homepage Journal

      I just use lighttpd.
      Very simple.

      • (Score: 3, Funny) by driverless on Thursday December 23 2021, @12:14PM

        by driverless (4770) on Thursday December 23 2021, @12:14PM (#1207384)

        What's wrong with 'cat index.html > /dev/eth0'?

    • (Score: 1) by mydn on Thursday December 23 2021, @05:11AM (1 child)

      by mydn (4215) on Thursday December 23 2021, @05:11AM (#1207319)

      We just had to patch a bunch of log4j vulnerabilities, I'm glad we don't have these. We do use NGINX, but we use it along with Tomcat.

    • (Score: 1, Informative) by Anonymous Coward on Thursday December 23 2021, @06:57AM (1 child)

      by Anonymous Coward on Thursday December 23 2021, @06:57AM (#1207335)

      On the front side. But there are a lot of Apache http installs hiding behind them.

      • (Score: 2) by pkrasimirov on Thursday December 23 2021, @08:49AM

        by pkrasimirov (3358) Subscriber Badge on Thursday December 23 2021, @08:49AM (#1207349)

        This one is affected only if mod_lua is enabled or it is used as forward proxy.

    • (Score: 4, Informative) by RS3 on Thursday December 23 2021, @07:30AM (1 child)

      by RS3 (6367) on Thursday December 23 2021, @07:30AM (#1207338)

      https://news.netcraft.com/archives/category/web-server-survey/ [netcraft.com]

      https://w3techs.com/technologies/overview/web_server [w3techs.com]

      • (Score: 4, Interesting) by bussdriver on Friday December 24 2021, @08:17PM

        by bussdriver (6876) on Friday December 24 2021, @08:17PM (#1207653)

        I use ngix as a reverse proxy for apache. You'll see ngix but the real work is apache... for simple stuff i might just have ngix handle it. with a bunch of work and wizardry you can probably get a apache working almost as well... or a couple of them; but the main thing for ngix is it's design... i would think apache could do it; maybe a version 3? 2 did so much that you can get it to do anything-- but it's complexity and power prevents people from doing what they want.

    • (Score: 1, Funny) by Anonymous Coward on Thursday December 23 2021, @10:26AM

      by Anonymous Coward on Thursday December 23 2021, @10:26AM (#1207363)
      Use IIS ;)

  • (Score: -1, Offtopic) by Anonymous Coward on Thursday December 23 2021, @04:15AM

    by Anonymous Coward on Thursday December 23 2021, @04:15AM (#1207310)

    it's fun to bring your pee pee out to play during the holidays, isn't it?

  • (Score: 2) by choose another one on Thursday December 23 2021, @11:00AM (1 child)

    by choose another one (515) on Thursday December 23 2021, @11:00AM (#1207371)

    Almost sounds like the Apache guys are spending the holiday season in frantic security audit mode. Wonder why?

    • (Score: 0) by Anonymous Coward on Sunday December 26 2021, @12:06AM

      by Anonymous Coward on Sunday December 26 2021, @12:06AM (#1207872)

      i thought communists don't celebrate christmas, and so that's why?

(1)