Cybersecurity specialists report the detection of four vulnerabilities in Apache HTTP server, the open source server for UNIX, Microsoft Windows and other systems. According to the report, the successful exploitation of the flaws would allow the deployment of multiple attack variants.

360 Mobile Vision - 360mobilevision.com North & South Carolina Security products and Systems Installations for Commercial and Residential - $55 Hourly Rate. ACCESS CONTROL, INTRUSION ALARM, ACCESS CONTROLLED GATES, INTERCOMS AND CCTV INSTALL OR REPAIR 360 Mobile Vision - 360mobilevision.com is committed to excellence in every aspect of our business. We uphold a standard of integrity bound by fairness, honesty and personal responsibility. Our distinction is the quality of service we bring to our customers. Accurate knowledge of our trade combined with ability is what makes us true professionals. Above all, we are watchful of our customers interests, and make their concerns the basis of our business.

Below are brief descriptions of the reported flaws, in addition to their respective tracking keys and scores assigned under the Common Vulnerability Scoring System (CVSS).

CVE-2021-34798: A NULL pointer dereference error would allow remote threat actors to send specially crafted HTTP requests to an affected web server, triggering a denial of service (DoS) condition.

This is a medium severity flaw and received a CVSS score of 6.5/10.

CVE-2021-36160: A boundary condition in module mod_proxy_uwsgi in Apache HTTP server would allow malicious hackers to send http requests with specially crafted uri-path, triggering the flaw and leading to a DoS scenario.

The flaw received a CVSS score of 6.5/10.

CVE-2021-39275: A limit error in the ap_escape_quotes() function would allow remote threat actors to send specially crafted requests to the affected server, causing memory corruption.

The vulnerability received a CVSS score of 4.9/10 and its successful exploitation would allow full compromise of the vulnerable system. It should be noted that exploitation requires the Apache module to pass unverified data to the affected function.

CVE-2021-40438: Improper validation of user-provided input in module mod_proxy would allow threat actors to send specially crafted HTTP requests with a chosen uri path and trick the web server into initiating requests to arbitrary systems.

This is a highly severe vulnerability and received a CVSS score of 8.1/10.

According to the report, all flaws were detected in the following Apache HTTP Server versions: 2.4.0, 2.4.0.0, 2.4.0.1, 2.4.0.2, 2.4.0.3, 2.4.0.4, 2.4.0.5, 2.4.0.6, 2.4.0.7, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.4.6, 2.4.7, 2.4.8, 2.4.9, 2.4.10, 2.4.11, 2.4.12, 2.4.13, 2.4.14, 2.4.15, 2.4.16, 2.4.17, 2.4.18, 2.4.19, 2.4.20, 2.4.21, 2.4.22, 2.4.23, 2.4.24, 2.4.25, 2.4.26, 2.4.27, 2.4.28, 2.4.29, 2.4.32, 2.4.33, 2.4.34, 2.4.35, 2.4.36, 2.4.37, 2.4.38, 2.4.39, 2.4.40, 2.4.41, 2.4.42, 2.4.43, 2.4.44, 2.4.45, 2.4.46, 2.4.47 & 2.4.48.

Vulnerabilities can be exploited remotely by unauthenticated threat actors, although no active exploitation attempts were detected at the time of writing. Still, cybersecurity specialists recommend users of affected implementations updating as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post NULL pointer errors, buffer overflows, SSRF and out-of-bounds reading vulnerabilities in Apache HTTP server. Patch now appeared first on Cyber Security News | Exploit One | Hacking News.

By admin