===========================================================================
ZMCIRT Vulnerability Bulletin
ZMC-2021.09.20.1700
Apache HTTP Server 2.4 vulnerabilities
20th Sep 2021
===========================================================================
Product: Apache HTTP Server
Publisher: Apache Software Foundation
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-40438 CVE-2021-39275 CVE-2021-36160
CVE-2021-34798 CVE-2021-33193
Reference: ESB-2021.2985
ESB-2021.2978
Original Bulletin:
https://httpd.apache.org/security/vulnerabilities_24.html
Apache HTTP Server 2.4 vulnerabilities
The initial GA release, Apache httpd 2.4.1, includes fixes for all
vulnerabilities which have been resolved in Apache httpd 2.2.22 and all older
releases. Consult the Apache httpd 2.2 vulnerabilities list for more
information.
Fixed in Apache HTTP Server 2.4.49
moderate: Request splitting via HTTP/2 method injection and mod_proxy (
CVE-2021-33193)
A crafted method sent through HTTP/2 will bypass validation and be
forwarded by mod_proxy, which can lead to request splitting or cache
poisoning.
This issue affects Apache HTTP Server 2.4.17 to 2.4.48.
Acknowledgements: Reported by James Kettle of PortSwigger
Reported to security team 2021-05-11
Issue public 2021-08-06
Update 2.4.49 released 2021-09-16
Affects =2.4.48, 2.4.17
moderate: NULL pointer dereference in httpd core (CVE-2021-34798)
Malformed requests may cause the server to dereference a NULL pointer.
This issue affects Apache HTTP Server 2.4.48 and earlier.
Acknowledgements: The issue was discovered by the Apache HTTP security team
Update 2.4.49 released 2021-09-16
Affects =2.4.48
moderate: mod_proxy_uwsgi out of bound read (CVE-2021-36160)
A carefully crafted request uri-path can cause mod_proxy_uwsgi to read
above the allocated memory and crash (DoS).
This issue affects Apache HTTP Server versions 2.4.30 to 2.4.48
(inclusive).
Acknowledgements: LI ZHI XIN from NSFocus Security Team
Reported to security team 2021-04-26
Update 2.4.49 release 2021-09-16
Affects =2.4.48, !2.4.30
low: ap_escape_quotes buffer overflow (CVE-2021-39275)
ap_escape_quotes() may write beyond the end of a buffer when given
malicious input.
No included modules pass untrusted data to these functions, but third-party
/ external modules may.
This issue affects Apache HTTP Server 2.4.48 and earlier.
Acknowledgements: ClusterFuzz
Update 2.4.49 released 2021-09-16
Affects =2.4.48
high: mod_proxy SSRF (CVE-2021-40438)
A crafted request uri-path can cause mod_proxy to forward the request to an
origin server choosen by the remote user.
This issue affects Apache HTTP Server 2.4.48 and earlier.
Acknowledgements: The issue was discovered by the Apache HTTP security team
while analysing CVE-2021-36160
Update 2.4.49 released 2021-09-16
Affects =2.4.48
ZMCIRT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. ZMCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Internet Email: report@cirt.zm
Telephone: 7070
ZMCIRT personnel answer during Zambian business hours
which are 8am to 5pm.
On call after hours for member emergencies only.
===========================================================================
Copyright @2023 ZAMBIA CIRT