Apache’s New Security Update For HTTPD Server Fixes Two Flaws

Share on facebook
Share on twitter
Share on linkedin
Share on reddit

The Apache Software Foundation has released an update to address a critical flaw in its hugely popular web server that allows remote attackers to take control of a vulnerable system. 

The foundation has released version 2.4.52 of the Apache HTTP Server (web server) that addresses two flaws tracked as CVE-2021-44790 and CVE-2021-44224, which have respective CVSS severity scores of 9.8 (critical) and 8.2 (high) out of a possible 10. A score of 9.8 is very bad, and in recent weeks has only been topped by the Log4j vulnerability known as Log4Shell, which had a severity score of 10 out of 10.    

ZDNet Recommends

The first Apache web server flaw is a memory-related buffer overflow affecting Apache HTTP Server 2.4.51 and earlier. The Cybersecurity and Infrastructure Security Agency (CISA) warns it “may allow a remote attacker to take control of an affected system”. The less serious flaw allows for server side request forgery in Apache HTTP Server 2.4.7 up to 2.4.51.  

SEE: A winning strategy for cybersecurity (ZDNet special report)

This release of Apache HTTP Server is the latest generally available release of the new generation 2.4.x branch of Apache HTTPD from Apache’s 26-year-old HTTP Server Project, which maintains an important and modern open-source HTTP server for Unix and Windows platforms. 

Apache HTTP Server is the second most widely used web server on the internet behind Nginx, according to W3Techs, which estimates it’s used by 31.4% of the world’s websites. UK security firm Netcraft estimates 283 million websites used Apache HTTP Server in December 2021, representing 24% of all web servers. 

The critical bug is apparently not under attack yet but the HTTPD team believes it has the potential to be weaponized.  

“The Apache httpd team is not aware of an exploit for the vulnerability though it might be possible to craft one,” the Apache HTTPD team said.

“A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts),” Apache Foundation’s Steffan Eissing explained on a mailing

Read more