(APACHE - ????)
High-Risk Flaw Haunts Apache Server
https://www.securityweek.com/high-risk-flaw-haunts-apache-server
The Apache Software Foundation has released a new version of its flagship web server to patch a pair of security defects, one serious enough to lead to remote code execution attacks.
The Apache HTTP Server 2.4.52 is listed as urgent and the U.S. government’s security response agency CISA is calling on users of the open-source cross-platform web server software to “update as soon as possible.”
The patch provides cover for two documented security vulnerabilities — CVE-2021-44790 and CVE-2021-44224 — one of which may allow a remote attacker to take control of an affected system.
From the Apache Software Foundation advisory:
HIGH: Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier (CVE-2021-44790)
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts).
The Apache httpd team is not aware of an exploit for the vulnerability though it might be possible to craft one.
...moar
High-Risk Flaw Haunts Apache Server
https://www.securityweek.com/high-risk-flaw-haunts-apache-server
The Apache Software Foundation has released a new version of its flagship web server to patch a pair of security defects, one serious enough to lead to remote code execution attacks.
We’re doing updates/patches for this (LogJ4) vulnerability at work as soon as they are available. It’s is draining resources. It is causing my team to miss goals.
Wasn’t there a Q drop that had “apache” in it?