ClickCease Recently Disclosed Apache Vulnerabilities Patched |tuxcare.com

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Multiple recently disclosed Apache vulnerabilities patched

June 23, 2021 - TuxCare PR Team

Earlier this month, another set of vulnerabilities were publicly disclosed, this time in Apache code. Because Apache is, and has been for quite some time, the de facto web server for the (majority of the) Internet, even low impact vulnerabilities affecting it can have far-reaching effects.

The affected versions of Apache start at version 2.4.0 (one vulnerability of the four that were disclosed starts affecting version 2.4.39) up to and including version 2.4.46.

Patches are already available for systems protected with Extended Lifecycle Support.

Let’s take a closer look at the vulnerabilities. The first one is labeled CVE-2020-35452, and it’s a low-impact mod_auth_digest potential stack overflow. According to the description, while the vulnerability was indeed detected in the code, it would be hard to trigger without the use of peculiar compiler flag settings when compiling the Apache code. However, now that the problem is out in the open and malicious actors being what they are, they are undoubtedly trying to find ways to exploit it. Recalling previous stack overflow vulnerabilities, transforming a successful exploit into arbitrary code execution is common.

 

Next, CVE-2021-26690 is another low-impact vulnerability, this time in mod_session, where a NULL pointer dereference can crash Apache and cause a denial-of-service. Internally, the TuxCare team has determined that this should not be a low-impact vulnerability, and instead at least a moderate risk one. A Proof-of-Concept was developed to test the flaw, and it reliably crashed Apache child processes. Given how recently the disclosure occurred, it is possible that the severity will be raised soon in the official CVE record.

 

Another low-impact vulnerability affecting mod_session, CVE-2021-26691, is a problem with the way responses are handled when Apache communicates with backend request processors like PHP. This could, if exploited, lead to a heap overflow and possible information exfiltration. Due to the way communication happens between Apache and the backend, it is not easily exploitable, and if an attacker was in a position to do so, attacking Apache this way would be a convoluted alternative to what he already had at his disposal.

 

The last issue in this batch is a moderate-impact vulnerability, CVE-2021-30641, caused by unexpected URL matching when using “MergeSlashes OFF” in the configuration. While details are not yet fully available, the functionality mentioned could potentially lead to bypass of security checks  through specially crafted URLs. Official reports do not mention Ubuntu being susceptible to this, but internal testing revealed it to actually be, so patches for this system have also been made available.

 

If you’re running nginx rather than Apache, and in case you missed it, a vulnerability was disclosed late last month and fixed by the TuxCare team. Read more about it here.

The TuxCare team, as always, tests all the vulnerabilities so that you don’t have to. If you’re already an Extended Lifecycle Support service subscriber, you already have the patches available for the affected systems. If you are looking for more information on the service, you can find it here.

 

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Related Articles

Strategies for Managing End-of-Life Operating...

End-of-life software is just a fact of our fast-paced technology...

January 30, 2023

Think You Can’t Afford Consistent...

Look, everyone knows that it’s a tough act. Thousands of...

January 17, 2023

Common Government Cybersecurity Standards –...

The public sector, including state and federal agencies, are at...

January 16, 2023

Which Linux Distro is Best...

If your organization deploys IoT solutions, you know that development...

December 1, 2022

The Bugs Behind the Vulnerabilities...

We continue to look at the code issues that cause...

November 14, 2022

Cybersecurity insurance and fine print:...

Catastrophic risks such as natural disasters and indeed cyberattacks require...

June 29, 2022