SUBJECT: CVE-2021-40438 Apache HTTP Server-Side Request Forgery (SSRF)
TECH STACK: Apache HTTP Server versions 2.4.1 to 2.4.46.
DATE(S) ISSUED: 09/16/2021
CRITICALITY: HIGH
OVERVIEW:
CVE-2021-40438 is a vulnerability in the Apache HTTP Server that allows an attacker to send a malicious request from a server, causing the server to initiate requests to arbitrary, potentially internal, destinations. This is known as a server-side request forgery (SSRF) attack.
An attacker could exploit this vulnerability to access internal resources on the server that may not be directly accessible from the Internet, such as intranet websites or internal network resources. They could also potentially use the vulnerability to bypass firewall rules or to perform port scans of internal systems.
The vulnerability exists in the Apache HTTP Server's mod_proxy module, which is responsible for proxying requests from the server to other destinations. The vulnerability allows an attacker to send a specially crafted request that includes a malicious URL in the "Host" header, which can cause the server to send a request to an internal destination specified in the URL.
Apache HTTP Server versions 2.4.1 to 2.4.46 are affected by this vulnerability.
NIST Description: A crafted request uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
https://nvd.nist.gov/vuln/detail/CVE-2021-40438
THREAT INTELLIGENCE:
CISA has added CVE-2021-40438 to its Known Exploited Vulnerabilities Catalog, based
on evidence that threat actors are actively exploiting the vulnerability. This vulnerability is a frequent attack vector for malicious cyber actors of all types and poses significant risk to the federal enterprise.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
NIST: NVD
Base Score: 9.0 CRITICAL
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
SOLUTION:
To fix the CVE-2021-40438 vulnerability in the Apache HTTP Server, you should upgrade to a fixed version of the software. The specific version you should upgrade to will depend on which version of the Apache HTTP Server you are currently using.
The following versions of the Apache HTTP Server include a fix for the vulnerability:
To upgrade to a fixed version of the Apache HTTP Server, you can download the latest version of the software from the Apache HTTP Server download page (http://httpd.apache.org/download.cgi). Once you have downloaded the software, follow the instructions provided in the installation guide to install the new version.
Alternatively, you may be able to upgrade to a fixed version of the Apache HTTP Server using your operating system's package manager. Consult the documentation for your operating system or package manager for more information on how to upgrade software packages.
It is important to note that upgrading to a fixed version of the Apache HTTP Server will not automatically fix the vulnerability on your system. You will also need to ensure that any third-party modules or customizations you have made to the Apache HTTP Server are compatible with the new version.
REFERENCES:
CISCO:20211124 Multiple Vulnerabilities in Apache HTTP Server Affecting Cisco Products: November 2021
CONFIRM:https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf
CONFIRM:https://security.netapp.com/advisory/ntap-20211008-0004/
URL:https://security.netapp.com/advisory/ntap-20211008-0004/
CONFIRM:https://www.tenable.com/security/tns-2021-17
URL:https://www.tenable.com/security/tns-2021-17
DEBIAN:DSA-4982
URL:https://www.debian.org/security/2021/dsa-4982
FEDORA:FEDORA-2021-dce7e7738e
FEDORA:FEDORA-2021-e3f6dd670d
GENTOO:GLSA-202208-20
URL:https://security.gentoo.org/glsa/202208-20
MISC:https://httpd.apache.org/security/vulnerabilities_24.html
URL:https://httpd.apache.org/security/vulnerabilities_24.html
MISC:https://www.oracle.com/security-alerts/cpuapr2022.html
URL:https://www.oracle.com/security-alerts/cpuapr2022.html
MISC:https://www.oracle.com/security-alerts/cpujan2022.html
URL:https://www.oracle.com/security-alerts/cpujan2022.html
MLIST:[debian-lts-announce] 20211002 [SECURITY] [DLA 2776-1] apache2 security update
URL:https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html
MLIST:[httpd-bugs] 20211008 [Bug 65616] CVE-2021-36160 regression
MLIST:[httpd-users] 20210923 Re: [users@httpd] 2.4.49 security fixes: more info
MLIST:[httpd-users] 20210923 Re: [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info
MLIST:[httpd-users] 20210923 [users@httpd] 2.4.49 security fixes: more info
MLIST:[httpd-users] 20210923 [users@httpd] Re: [External] : [users@httpd] 2.4.49 security fixes: more info
MLIST:[httpd-users] 20211019 Re: [users@httpd] Regarding CVE-2021-40438
MLIST:[httpd-users] 20211019 [users@httpd] Regarding CVE-2021-40438