National Vulnerability Database CNNVD: Early Warning on Apache HTTP Server Code Issues and Vulnerabilities

Recently, the National Information Security Vulnerability Database (CNNVD) received a report on the vulnerability of the Apache HTTP Server code (CNNVD-202109-1094, CVE-2021-40438). An attacker who successfully exploits the vulnerability can construct malicious data to conduct SSRF attacks on the target server. Apache HTTP Server 2.4.48 and below are affected by this vulnerability. At present, Apache has officially released a version update to fix this vulnerability. It is recommended that users confirm the product version in time and take patching measures as soon as possible.

1. Vulnerability introduction

Apache HTTP Server is an open source web server of the Apache Foundation in the United States. The server is fast, reliable and extensible through a simple API.

There is a code problem vulnerability in Apache HTTP Server. This vulnerability is caused by the system’s failure to strictly filter the user’s input. An attacker can construct malicious data to carry out SSRF attacks on the target server. This vulnerability can be used as a springboard for attacking the intranet of the target server, so as to perform port scanning on the intranet where the server is located, attack applications running on the intranet, and download intranet resources.

2. Harmful effects

An attacker who successfully exploits the vulnerability can construct malicious data to remotely attack the target server. Apache HTTP Server 2.4.48 and below are affected by this vulnerability.

3. Repair suggestion

At present, Apache has officially released a version update to fix the vulnerability. Users are advised to confirm the product version in time and take patching measures as soon as possible. The official Apache update link is as follows:

https://httpd.apache.org/download.cgi

This notification is supported by CNNVD technical support units-Beijing Zhichuangyu Information Technology Co., Ltd., Sangfor Technology Co., Ltd., Beijing Times Xinwei Information Technology Co., Ltd. and other technical support units.

CNNVD will continue to track the relevant situation of the above-mentioned vulnerabilities and release relevant information in a timely manner. Contact CNNVD if necessary. Contact: [email protected]

The Links:   LTM10C321K AA090MF01–T1