VULNERABILITY:
Carefully crafted request targeting the mod_lua multipart parser – risk of Buffer Overflow.
DESCRIPTION/IMPACT:
While the Apache foundation has not yet identified an active exploit that targets this vulnerability, they have advised that it may be possible to craft one. The potential exploit affects Apache HTTP Server versions 2.4.51 and lower and carries a risk rating of 9.8 (critical) with the impact of a successful exploitation leading to a Buffer Overflow.
MITIGATION:
Upgrade to Apache HTTP Server version 2.4.52.
Servers not using updated upstream repositories disable mod_lua (if not required) by performing the following steps:
- Locate Lua configuration file (typically found in /etc/conf or /etc/httpd directories).
- Remove or comment out the line responsible for loading the Lua module
- Restart the httpd service
- Run httpd -M to verify the Lua module is no longer loaded
Further information can be found here:
https://nvd.nist.gov/vuln/detail/CVE-2021-44224
https://access.redhat.com/security/cve/cve-2021-44790
https://ubuntu.com/security/CVE-2021-44790
https://security-tracker.debian.org/tracker/CVE-2021-44790
Pentesec Summary:
This update comes with a Critical CVSS score of 9.8 – it is highly recommended that our customers patch to 2.4.52 immediately to mitigate the risk on their Apache HTTP Server or disable the mod_lua as described above if you are not using current and updated upstream repositories as no backported fix has been released at the time of this update.
Pentesec Security Essentials customers are under continuous monitoring for attempted exploitation.
Pentesec MDR customers are protected with the SentinelOne MDR platform, which will mitigate against any exploitation attempts as a result of this CVE.
We are closely monitoring the situation and any further updates will follow.
