Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Developers fix multitude of vulnerabilities in Apache HTTP Server

Numerous vulnerabilities have been identified and fixed in Apache HTTP Server 2.4, including high-impact server-side request forgery (SSRF) and request smuggling bugs.

The Apache HTTP Server Project is a collaborative project to develop and maintain an open source software-based HTTP server for modern operating systems including UNIX and Windows. The technology is claimed to be the most popular web server on the internet.

A high-severity vulnerability with a CVSS score of 8.1, CVE-2021-40438, was discovered by the Apache HTTP security team. The security flaw allows a remote attacker to perform SSRF attacks, and stems from insufficient validation of user-supplied input within the mod proxy module.

Sending a specially crafted HTTP request with a chosen uri-path could trick the web server into initiating requests to arbitrary systems. This would allow the attacker to gain access to sensitive data in the local network or send malicious requests to other servers.

Meanwhile, CVE-2021-33193, rated as a moderate severity vulnerability, was reported by PortSwigger security researcher James Kettle on May 11.

The flaw allows a crafted method sent through HTTP/2 to bypass validation controls and get forwarded by mod proxy, potentially leading to request splitting or cache poisoning.

Those interested in learning more about Kettle’s HTTP/2 request smuggling research should check out our recent coverage from Black Hat USA.

Patches issued on 16 September resolves these vulnerabilities, along with three others. These include a medium-severity NULL pointer dereference error, a boundary condition in module mod proxy uwsgi that could trigger a denial of service (system crash) condition and a low impact flaw only involving third party modules.

All five flaws are resolved with HTTP Server 2.4.49.

Check out Apache’s release notes for full details, here.

Source: https://portswigger.net/daily-swig/developers-fix-multitude-of-vulnerabilities-in-apache-http-server

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO