The second flaw can be used to perform server-side request forgery on Apache HTTP Server 2.47 through 2.4.51. The worldwide popularity of the Apache HTTP Server makes vulnerable systems a prime target for hackers, so patching these two vulnerabilities in Apache’s web server is a top priority for website owners.
The Apache Software Foundation has released new updates that fix two bugs that can be exploited by remote attackers to take control of vulnerable systems running on popular web servers. The bugs tracked as CVE-2021-44790 and CVE-2021-44224 have CVSS scores of 9.8 and 8.2 respectively. A more severe bug in Apache’s web server is rated Critical but is classified as Log4Shell with a CVSS score of 10 out of 10. The first flaw is a memory-related buffer overflow that affects Apache HTTP Server 2.4.5.1 and earlier versions.
Highlights
possibility of armament
In a new alert from the Cybersecurity and Infrastructure Security Agency (CISA), US government agencies say a buffer overflow flaw in the Apache web server “could allow a remote attacker to gain control of the affected system” There is a warning. This critical flaw has not been used in a live exploit, but the Apache HTTPD team believes it could be weaponized by an attacker. Therefore, organizations and individuals running Apache HTTP Server should read this announcement and update their software to the latest version as soon as possible to protect against potential attacks that exploit this critical flaw.