Check the status of CVEs. Learn More.
Keeping your systems up 100% of the time requires live patching. Our solutions will align strongly with your risk, compliance, and operational uptime requirements.
TuxCare is trusted by the most innovative companies across the globe.
Learn about TuxCare's modern approach to reducing cybersecurity risk with Blogs, White Papers, and more.
Continually increasing Cybersecurity, stability, and availability of Linux servers and open source software since 2009.
TuxCare provides live security patching for numerous industries. Learn how TuxCare is minimizing risk for companies around the world.
2x a month. No spam.
June 23, 2021 - TuxCare PR Team
Earlier this month, another set of vulnerabilities were publicly disclosed, this time in Apache code. Because Apache is, and has been for quite some time, the de facto web server for the (majority of the) Internet, even low impact vulnerabilities affecting it can have far-reaching effects.
The affected versions of Apache start at version 2.4.0 (one vulnerability of the four that were disclosed starts affecting version 2.4.39) up to and including version 2.4.46.
Patches are already available for systems protected with Extended Lifecycle Support.
Let’s take a closer look at the vulnerabilities. The first one is labeled CVE-2020-35452, and it’s a low-impact mod_auth_digest potential stack overflow. According to the description, while the vulnerability was indeed detected in the code, it would be hard to trigger without the use of peculiar compiler flag settings when compiling the Apache code. However, now that the problem is out in the open and malicious actors being what they are, they are undoubtedly trying to find ways to exploit it. Recalling previous stack overflow vulnerabilities, transforming a successful exploit into arbitrary code execution is common.
Next, CVE-2021-26690 is another low-impact vulnerability, this time in mod_session, where a NULL pointer dereference can crash Apache and cause a denial-of-service. Internally, the TuxCare team has determined that this should not be a low-impact vulnerability, and instead at least a moderate risk one. A Proof-of-Concept was developed to test the flaw, and it reliably crashed Apache child processes. Given how recently the disclosure occurred, it is possible that the severity will be raised soon in the official CVE record.
Another low-impact vulnerability affecting mod_session, CVE-2021-26691, is a problem with the way responses are handled when Apache communicates with backend request processors like PHP. This could, if exploited, lead to a heap overflow and possible information exfiltration. Due to the way communication happens between Apache and the backend, it is not easily exploitable, and if an attacker was in a position to do so, attacking Apache this way would be a convoluted alternative to what he already had at his disposal.
The last issue in this batch is a moderate-impact vulnerability, CVE-2021-30641, caused by unexpected URL matching when using “MergeSlashes OFF” in the configuration. While details are not yet fully available, the functionality mentioned could potentially lead to bypass of security checks through specially crafted URLs. Official reports do not mention Ubuntu being susceptible to this, but internal testing revealed it to actually be, so patches for this system have also been made available.
If you’re running nginx rather than Apache, and in case you missed it, a vulnerability was disclosed late last month and fixed by the TuxCare team. Read more about it here.
The TuxCare team, as always, tests all the vulnerabilities so that you don’t have to. If you’re already an Extended Lifecycle Support service subscriber, you already have the patches available for the affected systems. If you are looking for more information on the service, you can find it here.
Learn About Live Patching with TuxCare
End-of-life software is just a fact of our fast-paced technology...
Look, everyone knows that it’s a tough act. Thousands of...
The public sector, including state and federal agencies, are at...
If your organization deploys IoT solutions, you know that development...
We continue to look at the code issues that cause...
Catastrophic risks such as natural disasters and indeed cyberattacks require...