The Apache Software Foundation has released an update to address a serious flaw in its popular web server that allows remote attackers to control vulnerable systems.
The foundation released version 2.4.52 of Apache HTTP Server (Web server), which resolved two flaws in tracking behavior CVE-2021-44790 and CVE-2021-44224, Their CVSS severity scores are 9.8 (serious) and 8.2 (high), respectively, out of 10. The score of 9.8 is very bad. In recent weeks, only the Log4j vulnerability called Log4Shell ranked first. This vulnerability has Severity score 10 points (out of 10 points).
The first Apache Web server flaw is a memory-related buffer overflow affecting Apache HTTP Server 2.4.51 and earlier versions. Cyber Security and Infrastructure Security Agency (CISA) warn It “may allow remote attackers to control the affected system.” Less serious flaws allow server-side request forgery in Apache HTTP Server 2.4.7 to 2.4.51.
Look: A winning strategy for cybersecurity (Special report by ZDNet)
This version of Apache HTTP Server is The latest public release The new generation 2.4.x branch of Apache HTTPD comes from Apache’s 26-year-old HTTP server project, which maintains an important and modern open source HTTP server for Unix and Windows platforms.
Apache HTTP Server is the second most widely used web server on the Internet after Nginx. According to W3Techs, It is estimated that 31.4% of websites worldwide are using it.The British security company Netcraft estimates that there are 283 million websites Use Apache HTTP Server in December 2021, Accounting for 24% of all web servers.
The critical vulnerability has obviously not yet been attacked, but the HTTPD team believes it may be weaponized.
The Apache HTTPD team stated: “The Apache httpd team does not know the exploit of this vulnerability, although it is possible to create a vulnerability.”
“A well-designed request body may cause a buffer overflow in the mod_lua multi-part parser (r:parsebody() called from a Lua script),” Steffan Eissing of the Apache Foundation explained on the mailing list .
As Netcraft pointed out, Apache HTTP Server is not directly affected by the Java-based Log4j error message library because it is written in C. However, even a web server written in a non-Java language may still integrate the vulnerable Log4j library heap in a technology. IBM’s Web server WebSphere integrates Log4j and has vulnerabilities, but Netcraft found that only 3,778 sites use it.
Following the widespread Log4Shell vulnerability in the Log4j version 2 branch, the Apache Software Foundation has released three updates in the past week.
Cybersecurity agencies from the U.S., Australia, Canada, New Zealand, and the U.K. Yesterday issued a guide for the organization to resolve the error. The error is expected to take several months to resolve because the Log4j library has been integrated as Integrated into hundreds of software products from major vendors, Including IBM, Cisco, VMware, RedHat and Oracle. The library also comes with important frameworks, such as Apache’s Struts2.
