Please see Security Advisories for the week ending December 24, 2021
- Apache Releases Security Update for HTTP Server
- Mitigating Log4Shell and Other Log4j-Related Vulnerabilities
The Apache Software Foundation has released security update Apache HTTP Server 2.4.52 fixing two vulnerabilities found on the previous version.
The two vulnerabilities that were patched are CVE-2021-44224 and CVE-2021-44790.
The first vulnerability (CVE-2021-44224) can allow for a NULL pointer dereference or Server Side Request Forgery (SSRF) in forward proxy configurations, this vulnerability has a severity level as “moderate”.
The second vulnerability (CVE-2021-44790) can allow for a buffer overflow when parsing multipart content in mod_lua, this vulnerability has a severity level as “high”.
A remote attacker who is able to successfully exploit these vulnerabilities may allow them to take control of an affected device.
Apache recommends upgrading to Apache HTTP Server 2.4.52 or later to protect against these vulnerabilities. Additional information can be found in the links below.
For a brief overview:
Apache security advisory:
CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the cybersecurity authorities of Australia, New Zealand, Canada, and the United Kingdom have released a joint cybersecurity advisory in response to multiple vulnerabilities in Apache’s Log4j software library.
Threat actors are actively scanning networks to potentially exploit the Log4Shell in vulnerable systems. According to public reporting, Log4Shell are being actively exploited. Information can be found here:
The Log4Shell vulnerabilities are likely to increase and continue over an extended period of time.
CISA and its partners strongly urge all organizations to review the mitigation Log4Shell and other Log4j related vulnerabilities on: AA21-356A: Mitigating Log4Shell and Other Log4j-Related Vulnerabilities for detailed mitigations to their systems.