The Apache Software Foundation has issued an update for critical vulnerabilities, but this time it’s for the Apache HTTP Server. The new patch fixes a couple of critical vulnerabilities almost as dangerous as the already infamous Log4Shell.
The Log4Shell vulnerability took the world by storm, and the ripples it sent through the digital world will be felt for years to come. In fact, the problem was so bad that it took several patches to fix it, as security researchers found new methods to bypass the patches.
Now, the Apache Software Foundation is pushing an update for the Apache HTTP Server, another critical component that’s found pretty much everywhere. While the new vulnerabilities, CVE-2021-44790 with a CVSS score of 9.8 and CVE-2021-44224 with a score of 8.2, don’t seem to be used in the wild, it would be a matter of time before they could be weaponized as well.
“A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts),” wrote the Apache Software Foundation team of the more dangerous of the two vulnerabilities. “The Apache httpd team is not aware of an exploit for the vulnerability though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.”
The good news is that the vulnerabilities are not in use in the wild, unlike Log4Shell, which took only a matter of days before criminals found ways of deploying malware and infecting systems. It also helps that no proof of concept exists, so it will take a while until attackers reverse engineer the patch to see what was fixed.
The Apache HTTP Server is used worldwide, and companies should heed the warning of the Apache Software Foundation and patch their systems as quickly as possible. It could become a much bigger problem once attackers figure out how to weaponize the vulnerabilities.