Apache, the open-source software foundation behind the Log4j logging library that has been the subject of so many Log4Shell headlines, released an update to correct two vulnerabilities in HTTPD, a web server that ranks right up there with Log4j in terms of ubiquity. These recently discovered vulnerabilities (CVE-2021-44790 & CVE-2021-44224) allow attackers to cause a denial of service (DoS) or circumvent your security rules.
A possible buffer overflow when parsing multipart content in mod_lua (CVE-2021-44790)
In the mod_lua multipart parser (r:parsebody() called from Lua scripts), a carefully crafted request body might cause a buffer overflow.
Possible NULL dereferences or SSRF in forwarding proxy configurations (CVE-2021-44224)
A crafted URI submitted to HTTPD configured as a forward proxy (ProxyRequests enabled) might cause a crash (NULL pointer dereference) or allow requests to be forwarded to a defined Unix Domain Socket endpoint in configurations mixing forward and reverse proxy declarations (Server-Side Request Forgery).
Affected versions
CVE-2021-44224 affects Apache HTTP Server 2.4.7 up to 2.4.51.
CVE-2021-44790 affects Apache HTTP Server 2.4.51 and earlier.
Mitigation
Customers are advised to update to the latest Apache HTTP Server 2.4.52. For more information, please refer to the Apache Advisory.
Qualys Detection
Qualys customers can scan their devices with QIDs 730312 and 730313 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://httpd.apache.org/security/vulnerabilities_24.html
https://threatpost.com/apache-httpd-server-bugs-rce-dos/177234/
https://www.cisa.gov/uscert/ncas/current-activity/2021/12/22/apache-releases-security-update-http-server