Security

Mitigation Instructions for CVE-2021-40438

Written by CyRisk Vulnerability Management Team | Mar 22, 2023 6:08:07 PM

SUBJECT: CVE-2021-40438 Apache HTTP Server-Side Request Forgery (SSRF)

TECH STACK: Apache HTTP Server versions 2.4.1 to 2.4.46.  

DATE(S) ISSUED: 09/16/2021

CRITICALITY: HIGH

OVERVIEW:

CVE-2021-40438 is a vulnerability in the Apache HTTP Server that allows an attacker to send a malicious request from a server, causing the server to initiate requests to arbitrary, potentially internal, destinations. This is known as a server-side request forgery (SSRF) attack.

An attacker could exploit this vulnerability to access internal resources on the server that may not be directly accessible from the Internet, such as intranet websites or internal network resources. They could also potentially use the vulnerability to bypass firewall rules or to perform port scans of internal systems.

The vulnerability exists in the Apache HTTP Server's mod_proxy module, which is responsible for proxying requests from the server to other destinations. The vulnerability allows an attacker to send a specially crafted request that includes a malicious URL in the "Host" header, which can cause the server to send a request to an internal destination specified in the URL.

Apache HTTP Server versions 2.4.1 to 2.4.46 are affected by this vulnerability.

NIST Description: A crafted request uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.

https://nvd.nist.gov/vuln/detail/CVE-2021-40438

THREAT INTELLIGENCE:

CISA has added CVE-2021-40438 to its Known Exploited Vulnerabilities Catalog, based 

on evidence that threat actors are actively exploiting the vulnerability. This vulnerability is a frequent attack vector for malicious cyber actors of all types and poses significant risk to the federal enterprise. 

https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST: NVD

Base Score: 9.0 CRITICAL

Vector:  CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

SOLUTION:

To fix the CVE-2021-40438 vulnerability in the Apache HTTP Server, you should upgrade to a fixed version of the software. The specific version you should upgrade to will depend on which version of the Apache HTTP Server you are currently using.

The following versions of the Apache HTTP Server include a fix for the vulnerability:

  • 2.4.47
  • 2.5.0-alpha

To upgrade to a fixed version of the Apache HTTP Server, you can download the latest version of the software from the Apache HTTP Server download page (http://httpd.apache.org/download.cgi). Once you have downloaded the software, follow the instructions provided in the installation guide to install the new version.

Alternatively, you may be able to upgrade to a fixed version of the Apache HTTP Server using your operating system's package manager. Consult the documentation for your operating system or package manager for more information on how to upgrade software packages.

It is important to note that upgrading to a fixed version of the Apache HTTP Server will not automatically fix the vulnerability on your system. You will also need to ensure that any third-party modules or customizations you have made to the Apache HTTP Server are compatible with the new version.

REFERENCES:

CISCO:20211124 Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021

URL:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ

CONFIRM:https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf

CONFIRM:https://security.netapp.com/advisory/ntap-20211008-0004/

URL:https://security.netapp.com/advisory/ntap-20211008-0004/

CONFIRM:https://www.tenable.com/security/tns-2021-17

URL:https://www.tenable.com/security/tns-2021-17

DEBIAN:DSA-4982

URL:https://www.debian.org/security/2021/dsa-4982

FEDORA:FEDORA-2021-dce7e7738e

URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/

FEDORA:FEDORA-2021-e3f6dd670d

URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/

GENTOO:GLSA-202208-20

URL:https://security.gentoo.org/glsa/202208-20

MISC:https://httpd.apache.org/security/vulnerabilities_24.html

URL:https://httpd.apache.org/security/vulnerabilities_24.html

MISC:https://www.oracle.com/security-alerts/cpuapr2022.html

URL:https://www.oracle.com/security-alerts/cpuapr2022.html

MISC:https://www.oracle.com/security-alerts/cpujan2022.html

URL:https://www.oracle.com/security-alerts/cpujan2022.html

MLIST:[debian-lts-announce] 20211002 [SECURITY] [DLA 2776-1] apache2 security update

URL:https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html

MLIST:[httpd-bugs] 20211008 [Bug 65616] CVE-2021-36160 regression

URL:https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37@%3Cbugs.httpd.apache.org%3E

MLIST:[httpd-users] 20210923 Re: [users@httpd] 2.4.49 security fixes: more info

URL:https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3Cusers.httpd.apache.org%3E

MLIST:[httpd-users] 20210923 Re: [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info

URL:https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3Cusers.httpd.apache.org%3E

MLIST:[httpd-users] 20210923 [users@httpd] 2.4.49 security fixes: more info

URL:https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3Cusers.httpd.apache.org%3E

MLIST:[httpd-users] 20210923 [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info

URL:https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3Cusers.httpd.apache.org%3E

MLIST:[httpd-users] 20211019 Re: [users@httpd] Regarding CVE-2021-40438

URL:https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00@%3Cusers.httpd.apache.org%3E

MLIST:[httpd-users] 20211019 [users@httpd] Regarding CVE-2021-40438

URL:https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a@%3Cusers.httpd.apache.org%3E