Application Security , Governance & Risk Management , Next-Generation Technologies & Secure Development
2 Vulnerabilities Discovered in Apache HTTP Server
Update Version 2.4.52 Addresses Both Flaws; 1 Scored CriticalThe Apache Software Foundation has released a new version of the Apache HTTP Server, 2.4.52, to address two flaws - one scored high and the other critical - in one of the world's leading web servers. With security practitioners racing to mitigate Apache's logging library vulnerabilities - known as Log4j - these newly detected vulnerabilities in Apache's server software now may be leveraged for remote access, some experts say.
See Also: ESG Research Report: Securing the API Attack Surface
Neither vulnerability has any known exploits by attackers in the wild to date, according to the U.S. Cybersecurity and Infrastructure Security Agency. According to the vulnerability analysis by the National Institute of Standards and Technology, threat actors could leverage the flaws to carry out a cyberattack. Research by
The flaws have been tracked by CISA as CVE-2021-44790 and CVE-2021-44224. CVE-2021-44790 received a CVSS score of 9.8, or critical, and CVE-2021-44224 has a score of 8.2, or high.
If exploited, the critical vulnerability could allow an attacker to cause a buffer overrun in the mod_lua multipart parser, leading to a block of memory corrupting data, crashing the device, or providing a platform to download malicious code. The high-ranked vulnerability affects HTTP server version 2.4.7 and could allow for configuration mixing forward and reverse proxy declarations, leading to a crash when ProxyRequests are turned on. The lesser flaw could also allow attackers to exploit a server-side request forgery that could lead to data or credential theft.
Apache is urging users and administrators to upgrade to mitigate the risks associated with these vulnerabilities. CISA also issued an alert last week stating that the critical vulnerability could potentially give threat actors remote access.
Log4j Fallout
Apache has been regularly delivering emergency updates this month following the detection of the zero-day Log4j vulnerability, known as Log4Shell. Log4j is widely used for library-logging capabilities in Java software and applications.
Last week, Apache again released an emergency update for its logging library - version 2.17 - that addressed a denial-of-service vulnerability attackers could exploit. (see: Time to Patch Log4j Again; Apache Releases 2.17 Fixing DoS).
Apache also routinely discloses vulnerabilities found in HTTPD, including another critical flaw - CVE-2021-42013 - that was detected in October, which could allow an attacker to leverage path traversal to access files on the server that should remain under lock and key, according to the Apache HTTP Server Project.
For some security experts, however, the latest CVEs do not compare to Log4j.
"Don’t get me wrong; we need to ensure we patch," says Jake Williams, a former member of the National Security Agency's elite hacking team and currently CTO at the firm BreachQuest. But he also says there would not be as much interest in the two flaws "if not for the illusory correlation" with Log4j.
A survey by the internet research firm Netcraft indicates most servers have integrated code with Log4j logging capabilities but do not use Log4j library by default. Apache and Nginx, for example, are written in C programming language and do not use Log4j by default. But this does not mean the vulnerable library is not used in some capacity, Netcraft says.
Also, the mod_lua component in the critical vulnerability is not enabled by default in Ubuntu, the open-source operating system for Linux, which is affected, says Williams.
'Only a Matter of Time'
While there have been no known exploits of the vulnerabilities addressed in the latest Apache update, some experts believes it could be only a matter of time before threat actors find an entrance.
Matthew Warner, CTO and co-founder of threat detection and response firm Blumira, says HTTPD is the most-used server besides Nginx in the world. He says the scope could potentially be far-reaching, even though - unlike Log4j - the exploit and proof of concept were not dropped simultaneously.
"Now that patches have been released," says Warner, "it’s only a matter of time until the exploit [is] built."
Hank Schless, senior manager of security solutions for endpoint-to-cloud security firm Lookout, says, "If attackers aren’t yet in a vulnerable environment, they will be scanning the internet for vulnerable software using HTTPD." While the scope of impact is more limited, he says, it does not make patching any less urgent.
"This [alert] highlights the importance of understanding how every user in your infrastructure accesses and interacts with your apps and the data stored in them," according to Schless.
Mitigating the Threat
Instructions for downloading the latest version of HTTPD can be found at the Apache HTTP Server Project.
Lookout's Schless says IT teams should shift their focus to "anything publicly accessible or web-facing," because this is an attacker's starting point, before moving to internal servers.
And Blumira's Warner says operating system monitoring tools - such as Osquery or others - can help provide extra visibility into how network environments are being accessed.
Schless also says the vulnerabilities show that software flaws remain "inevitable" and security teams must remain vigilant with their patch processes.