=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN510
_____________________________________________________________________

DATE                : 05/10/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache HTTP Server versions up to
                                   and including 2.4.49.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202110.mbox/%3ce377474b-8d81-035a-bd74-3c20e4a7c144@apache.org%3e
http://mail-archives.apache.org/mod_mbox/www-announce/202110.mbox/%3c09943ac6-0057-7e59-d05e-458cca307130@apache.org%3e
_____________________________________________________________________

CVE-2021-41773: Path traversal and file disclosure vulnerability in
Apache HTTP Server 2.4.49


Severity: important

Description:

A flaw was found in a change made to path normalization in Apache HTTP
Server 2.4.49. An attacker could use a path traversal attack to map URLs
to files outside the expected document root.


If files outside of the document root are not protected by "require all
denied" these requests can succeed. Additionally this flaw could leak
the source of interpreted files like CGI scripts.

This issue is known to be exploited in the wild.

This issue only affects Apache 2.4.49 and not earlier versions.


Credit:

This issue was reported by Ash Daulton along with the cPanel Security
Team


References:

https://httpd.apache.org/security/vulnerabilities_24.html
_____________________________________________________________________

CVE-2021-41524 Apache HTTP Server null pointer dereference in h2 fuzzing

Severity: moderate


Description:

While fuzzing the 2.4.49 httpd, a new null pointer dereference was
detected during HTTP/2 request processing, allowing an external source
to DoS the server. This requires a specially crafted request.


The vulnerability was recently introduced in version 2.4.49. No exploit
is known to the project.


Mitigation:

Disable the HTTP/2 protocol.


Credit:

Apache httpd team would like to thank LI ZHI XIN from NSFocus Security
Team for reporting this issue.


References:

https://httpd.apache.org/security/vulnerabilities_24.html


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================