Multiple recently disclosed Apache vulnerabilities patched

Earlier this month, another set of vulnerabilities were publicly disclosed, this time in Apache code. Because Apache is, and has been for quite some time, the de facto web server for the (majority of the) Internet, even low impact vulnerabilities affecting it can have far-reaching effects.

The affected versions of Apache start at version 2.4.0 (one vulnerability of the four that were disclosed starts affecting version 2.4.39) up to and including version 2.4.46.

Patches are already available for systems protected with Extended Lifecycle Support.

Let’s take a closer look at the vulnerabilities. The first one is labeled CVE-2020-35452, and it’s a low-impact mod_auth_digest potential stack overflow. According to the description, while the vulnerability was indeed detected in the code, it would be hard to trigger without the use of peculiar compiler flag settings when compiling the Apache code. However, now that the problem is out in the open and malicious actors being what they are, they are undoubtedly trying to find ways to exploit it. Recalling previous stack overflow vulnerabilities, transforming a successful exploit into arbitrary code execution is common.

Next, CVE-2021-26690 is another low-impact vulnerability, this time in mod_session, where a NULL pointer dereference can crash Apache and cause a denial-of-service. Internally, the TuxCare team has determined that this should not be a low-impact vulnerability, and instead at least a moderate risk one. A Proof-of-Concept was developed to test the flaw, and it reliably crashed Apache child processes. Given how recently the disclosure occurred, it is possible that the severity will be raised soon in the official CVE record.

Another low-impact vulnerability affecting mod_session, CVE-2021-26691, is a problem with the way responses are handled when Apache communicates with backend request processors like PHP. This could, if exploited, lead to a heap overflow and possible information exfiltration. Due to the way communication happens between Apache and the backend, it is not easily exploitable, and if an attacker was in a position to do so, attacking Apache this way would be a convoluted alternative to what he already had at his disposal.

The last issue in this batch is a moderate-impact vulnerability, CVE-2021-30641, caused by unexpected URL matching when using “MergeSlashes OFF” in the configuration. While details are not yet fully available, the functionality mentioned could potentially lead to bypass of security checks  through specially crafted URLs. Official reports do not mention Ubuntu being susceptible to this, but internal testing revealed it to actually be, so patches for this system have also been made available.

If you’re running nginx rather than Apache, and in case you missed it, a vulnerability was disclosed late last month and fixed by the TuxCare team. Read more about it here.

The TuxCare team, as always, tests all the vulnerabilities so that you don’t have to. If you’re already an Extended Lifecycle Support service subscriber, you already have the patches available for the affected systems. If you are looking for more information on the service, you can find it here.