The Apache Software Foundation has released an update to address a critical flaw in its hugely popular web server that allows remote attackers to take control of a vulnerable system.
The foundation has released version 2.4.52 of the Apache HTTP Server (web server) that addresses two flaws tracked as CVE-2021-44790 and CVE-2021-44224, which have respective CVSS severity scores of 9.8 (critical) and 8.2 (high) out of a possible 10. A score of 9.8 is very bad, and in recent weeks has only been topped by the Log4j vulnerability known as Log4Shell, which had a severity score of 10 out of 10.
The first Apache web server flaw is a memory-related buffer overflow affecting Apache HTTP Server 2.4.51 and earlier. The Cybersecurity and Infrastructure Security Agency (CISA) warns it “may allow a remote attacker to take control of an affected system”. The less serious flaw allows for server side request forgery in Apache HTTP Server 2.4.7 up to 2.4.51.
SEE: A winning strategy for cybersecurity (ZDNet special report)
This release of Apache HTTP Server is the latest generally available release of the new generation 2.4.x branch of Apache HTTPD from Apache’s 26-year-old HTTP Server Project, which maintains an important and modern open-source HTTP server for Unix and Windows platforms.
Apache HTTP Server is the second most widely used web server on the internet behind Nginx, according to W3Techs, which estimates it’s used by 31.4% of the world’s websites. UK security firm Netcraft estimates 283 million websites used Apache HTTP Server in December 2021, representing 24% of all web servers.
The critical bug is apparently not under attack yet but the HTTPD team believes it has the potential to be weaponized.
“The Apache httpd team is not aware of an exploit for the vulnerability though it might be possible to craft one,” the Apache HTTPD team said.
“A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts),” Apache Foundation’s Steffan Eissing explained on a mailing list .
As Netcraft notes, Apache HTTP Server wasn’t directly impacted by the Java-based Log4j error messaging library as it was written in C. However, even web servers written in non-Java languages may still have integrated the vulnerable Log4j library in a technology stack. IBM’s web server, WebSphere, integrates Log4j and was vulnerable, but Netcraft found only 3,778 sites using it.
The Apache Software Foundation has released three updates in the past week in the wake of the widespread Log4Shell vulnerability in Log4j version 2 branch.
Cybersecurity agencies from the US, Australia, Canada, New Zealand and the United Kingdom yesterday released guidance for organizations to address the bug. The bug is expected to take months to resolve because the Log4j library has been integrated as a component into hundreds of software products from major vendors, including IBM, Cisco, VMware, RedHat and Oracle. The library also ships with important frameworks, such as Apache’s Struts2.