Apache HTTP Server Prior to 2.4.60 Multiple Security Vulnerabilities

The Apache HTTP Server is a free and open-source cross-platform web server software. Multiple vulnerabilities have been addressed in Apache HTTP Server version 2.4.60. These vulnerabilities affect versions prior to 2.4.59 and have been resolved in version 2.4.60.

Vulnerabilities

  1. DoS by Null Pointer in WebSocket over HTTP/2 (CVE-2024-36387)
    • Description: Serving WebSocket protocol upgrades over an HTTP/2 connection could result in a Null Pointer dereference, leading to a crash of the server process and performance degradation.
  2. Windows UNC SSRF (CVE-2024-38472)
    • Description: SSRF in Apache HTTP Server on Windows allows potential leakage of NTLM hashes to a malicious server via SSRF and malicious requests or content. Existing configurations that access UNC paths will need to configure the new directive “UNCList” to allow access during request processing.
  3. Proxy Encoding Problem (CVE-2024-38473)
    • Description: An encoding problem in mod_proxy allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.
  4. Weakness with Encoded Question Marks in Backreferences (CVE-2024-38474)
    • Description: A substitution encoding issue in mod_rewrite allows attackers to execute scripts in directories permitted by the configuration but not directly reachable by any URL, or disclose the source of scripts meant only to be executed as CGI.
  5. Weakness in mod_rewrite When First Segment of Substitution Matches Filesystem Path (CVE-2024-38475)
    • Description: Improper escaping of output in mod_rewrite allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure.
  6. Crash Resulting in Denial of Service in mod_proxy via a Malicious Request (CVE-2024-38477)
    • Description: A Null Pointer dereference in mod_proxy allows an attacker to crash the server via a malicious request.
  7. mod_rewrite Proxy Handler Substitution (CVE-2024-39573)
    • Description: Potential SSRF in mod_rewrite allows an attacker to cause unsafe RewriteRules to unexpectedly set up URLs to be handled by mod_proxy.

Affected Versions

Apache HTTP Server versions from 2.4.0 to 2.4.59 are affected by these vulnerabilities.

Mitigation

Successful exploitation of these vulnerabilities could lead to a security breach, affecting the integrity, availability, and confidentiality of your server. Customers are advised to upgrade to the latest version of Apache HTTP Server to remediate this vulnerability. For more information related to this vulnerability please refer to Apache’s Security advisory.

Qualys Detection

Qualys customers will be able to detect if their servers are vulnerable by launching a Qualys (WAS, VM) scans.

The QIDs that will be reported for the vulnerable servers are :

  • QID 152103: Apache HTTP Server Prior to 2.4.60 Multiple Security Vulnerabilities
  • QID 731613: Apache Hypertext Transfer Protocol Server (HTTP Server) Prior to 2.4.60 Multiple Security Vulnerabilities

References

https://httpd.apache.org/security/vulnerabilities_24.html

Leave a Reply

Your email address will not be published. Required fields are marked *