Request a Demo
Rewterz
Rewterz Threat Alert – Oski Data Stealer Malware – Active IOCs
September 17, 2021
Rewterz
Rewterz Threat Alert – Bitter APT Group – Active IOCs
September 17, 2021

Rewterz Threat Advisory – Multiple Apache Jena and HTTP Server Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2021-39239

Apache Jena could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations. By using a specially-crafted XML content, a remote attacker could exploit this vulnerability to read arbitrary files on the server.

CVE-2021-39275

Apache HTTP Server is vulnerable to a buffer overflow, caused by improper bounds checking by the ap_escape_quotes() function. By sending specially crafted input, a remote attacker could write beyond the end of a buffer.

CVE-2021-40438

Apache HTTP Server is vulnerable to server-side request forgery, caused by an error in mod_proxy. By sending a specially crafted request uri-path, a remote attacker could exploit this vulnerability to forward the request to an origin server chosen by the remote user.

CVE-2021-36160

Apache HTTP Server is vulnerable to a denial of service, caused by an out-of-bounds read in mod_proxy_uwsgi. By sending a specially crafted request uri-path, a remote attacker could exploit this vulnerability to read above the allocated memory and cause the server to crash.

CVE-2021-34798

Apache HTTP Server is vulnerable to a denial of service, caused by a NULL pointer dereference in httpd core. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.

Impact

  • Information Disclosure
  • Buffer Overflow
  • Unauthorized Access
  • Denial of Service

Affected Vendors

  • Apache

Affected Products

  • Apache Jena 4.1.0
  • Apache HTTP Server 2.4.0
  • Apache HTTP Server 2.4.1
  • Apache HTTP Server 2.4.2
  • Apache HTTP Server 2.4.3
  • Apache HTTP Server 2.4.4
  • Apache HTTP Server 2.4.7
  • Apache HTTP Server 2.4.6
  • Apache HTTP Server 2.4.9
  • Apache HTTP Server 2.4.10
  • Apache HTTP Server 2.4.12
  • Apache HTTP Server 2.4.18
  • Apache HTTP Server 2.4.20
  • Apache HTTP Server 2.4.17
  • Apache HTTP Server 2.4.23
  • Apache HTTP Server 2.4.29
  • Apache HTTP Server 2.4.33
  • Apache HTTP Server 2.4.25
  • Apache HTTP Server 2.4.26
  • Apache HTTP Server 2.4.27
  • Apache HTTP Server 2.4.28
  • Apache HTTP Server 2.4.34
  • Apache HTTP Server 2.4.35
  • Apache HTTP Server 2.4.37
  • Apache HTTP Server 2.4.39
  • Apache HTTP Server 2.4.41
  • Apache HTTP Server 2.4.43
  • Apache HTTP Server 2.4.46
  • Apache HTTP Server 2.4.48

Remediation

Upgrade to the latest version of Apache Jena, available from the Apache Web site.

https://jena.apache.org/

Upgrade to the latest version of Apache HTTP Server, available from the Apache Web site.

http://httpd.apache.org/security/vulnerabilities_24.html