Apache, which name has been in the news for the past two weeks due to the severe vulnerability in the logging library, issued yet another update. This time, it has nothing to do with the Log4j vulnerability (dubbed Log4Shell).
Apache issued the patch addressing two CVE-numbered flaws affecting the httpd server. According to the cybersecurity company Sophos, which published a detailed report on the topic, Apache’s httpd is a large and capable server with myriad combinations of modules and options, making it both powerful and dangerous at the time.
Fortunately, Sophos noted, the open-source httpd product receives constant attention from its developers, getting regular updates that bring new features along with critical security patches.
The two vulnerabilities that got fixed this time:
- CVE-2021-44790: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51
- CVE-2021-44224: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier.
“These bugs might not be exposed in your configuration because they are part of optional run-time modules that you might not actually be using. But if you are using these modules, whether you realize it or not, you could be at risk of server crashes, data leakage, or even remote code execution,” Sophos said.
Apache has been under tight scrutiny for the last two weeks after a severe vulnerability in the Log4j logging library was publicly disclosed. Malicious actors, including nation-state cyber groups, have been exploiting Log4Shell vulnerability in the wild. Experts called it the Fukushima moment for cybersecurity, and the full severity of the problem is yet to be unraveled.
“Just like Log4j, httpd has a habit of getting itself quietly included into software projects, for example as part of an internal service that works so well that it rarely draws attention to itself, or as a component built unobtrusively into a product or service you sell that isn’t predominantly thought of as “containing a web server,” Sophos said.