Skip to main content

Security relevant information_Apache HTTP Server

1. Vulnerability summary
The following 2 vulnerabilities were published on the same day:
  • CVE-2021-44224 (published 20 December 2021. CVSS base score: 8.2).
    This vulnerability could allow a remote third party to send a crafted URI to crash the http server (null pointer dereference) if the server is configured as a forward proxy. Alternatively, this vulnerability could allow a remote third party to send a spoofed URI to be redirected to a declared Unix domain socket endpoint (server side request forgery) if the server is configured with a mixed forward and reverse proxy.

    This issue affects the Apache HTTP Server, which is open-sourced by the Apache Software Foundation, 2.4.7 through 2.4.51.
  • CVE-2021-44790 (published 20 December 2021. CVSS base score: 9.8).
    This vulnerability could allow a remote third party to send carefully crafted HTTP requests to cause a buffer overflow if the server is configured to use a specific module "mod_lua" in Apache HTTP Server, which is provided as open source by the Apache Software Foundation.

    This issue affects Apache HTTP Server 2.4.51 and earlier versions.
Impact on our products
No products are affected by these vulnerabilities.

Apache HTTP Server is not used in our products, with the exception of aQrate. The latest version of aQrate contains the affected version of the Apache HTTP Server, but the corresponding configurations are NOT enabled during installation. Functions provided by Forward Proxy or mod_lua are not used in the products.