ProHoster > Blog > internet news > Apache 2.4.49 http server release with vulnerabilities fixed

Apache 2.4.49 http server release with vulnerabilities fixed

Apache 2.4.49 HTTP server release has been published, which introduces 27 changes and fixes 5 vulnerabilities:

  • CVE-2021-33193 - mod_http2 susceptibility to a new variant of the HTTP Request Smuggling attack, which allows, by sending specially designed client requests, to wedge into the content of other users' requests transmitted via mod_proxy (for example, you can achieve the substitution of malicious JavaScript code in the session of another user of the site) .
  • CVE-2021-40438 - SSRF (Server Side Request Forgery) vulnerability in mod_proxy, which allows, by sending a specially designed uri-path request, to redirect the request to the server chosen by the attacker.
  • CVE-2021-39275 - Buffer overflow in ap_escape_quotes function. The vulnerability is marked as non-dangerous, since all standard modules do not pass external data to this function. But it is theoretically possible that there are third-party modules through which an attack can be made.
  • CVE-2021-36160 - Out-of-bounds reads in mod_proxy_uwsgi module, resulting in a crash.
  • CVE-2021-34798 - Null pointer dereference causing process to crash when handling specially crafted requests.

The most notable non-security changes are:

  • Quite a lot of internal changes in mod_ssl. The β€œssl_engine_set”, β€œssl_engine_disable” and β€œssl_proxy_enable” settings have been moved from mod_ssl to the main stuffing (core). The ability to use alternative SSL modules to secure connections via mod_proxy has been provided. Added the ability to log private keys, which can be used in wireshark to analyze encrypted traffic.
  • Mod_proxy accelerated parsing of unix socket paths passed in "proxy:" URLs.
  • The capabilities of the mod_md module, which is used to automate the receipt and maintenance of certificates using the ACME (Automatic Certificate Management Environment) protocol, have been expanded. Allowed quoting of domains in and provided support for tls-alpn-01 for domain names not tied to virtual hosts.
  • Added the StrictHostCheck option to disable unconfigured hostnames as arguments to the "allow" list.

Source: opennet.ru

Add a comment