NULL pointer errors, buffer overflows, SSRF and out-of-bounds reading vulnerabilities in Apache HTTP server. Patch now

Cybersecurity specialists report the detection of four vulnerabilities in Apache HTTP server, the open source server for UNIX, Microsoft Windows and other systems. According to the report, the successful exploitation of the flaws would allow the deployment of multiple attack variants.

Below are brief descriptions of the reported flaws, in addition to their respective tracking keys and scores assigned under the Common Vulnerability Scoring System (CVSS).

CVE-2021-34798: A NULL pointer dereference error would allow remote threat actors to send specially crafted HTTP requests to an affected web server, triggering a denial of service (DoS) condition.

This is a medium severity flaw and received a CVSS score of 6.5/10.

CVE-2021-36160: A boundary condition in module mod_proxy_uwsgi in Apache HTTP server would allow malicious hackers to send http requests with specially crafted uri-path, triggering the flaw and leading to a DoS scenario.

The flaw received a CVSS score of 6.5/10.

CVE-2021-39275: A limit error in the ap_escape_quotes() function would allow remote threat actors to send specially crafted requests to the affected server, causing memory corruption.

The vulnerability received a CVSS score of 4.9/10 and its successful exploitation would allow full compromise of the vulnerable system. It should be noted that exploitation requires the Apache module to pass unverified data to the affected function.

CVE-2021-40438: Improper validation of user-provided input in module mod_proxy would allow threat actors to send specially crafted HTTP requests with a chosen uri path and trick the web server into initiating requests to arbitrary systems.

This is a highly severe vulnerability and received a CVSS score of 8.1/10.

According to the report, all flaws were detected in the following Apache HTTP Server versions: 2.4.0, 2.4.0.0, 2.4.0.1, 2.4.0.2, 2.4.0.3, 2.4.0.4, 2.4.0.5, 2.4.0.6, 2.4.0.7, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.4.14, 2.4.15, 2.4.16, 2.4.17, 2.4.18, 2.4.19, 2.4.20, 2.4.21, 2.4.22, 2.4.23, 2.4.24, 2.4.25, 2.4.26, 2.4.27, 2.4.28, 2.4.29, 2.4.32, 2.4.33, 2.4.34, 2.4.35, 2.4.36, 2.4.37, 2.4.38, 2.4.39, 2.4.40, 2.4.41, 2.4.42, 2.4.43, 2.4.44, 2.4.45, 2.4.46, 2.4.47 & 2.4.48.

Vulnerabilities can be exploited remotely by unauthenticated threat actors, although no active exploitation attempts were detected at the time of writing. Still, cybersecurity specialists recommend users of affected implementations updating as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.