openEuler update for httpd



Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2021-39275
CWE-ID CWE-119
Exploitation vector Network
Public exploit N/A
Vulnerable software
 openEuler
Operating systems & Components / Operating system

httpd-filesystem
Operating systems & Components / Operating system package or component

httpd-help
Operating systems & Components / Operating system package or component

httpd-tools
Operating systems & Components / Operating system package or component

httpd-debugsource
Operating systems & Components / Operating system package or component

mod_session
Operating systems & Components / Operating system package or component

mod_md
Operating systems & Components / Operating system package or component

mod_ssl
Operating systems & Components / Operating system package or component

httpd-debuginfo
Operating systems & Components / Operating system package or component

mod_proxy_html
Operating systems & Components / Operating system package or component

httpd-devel
Operating systems & Components / Operating system package or component

mod_ldap
Operating systems & Components / Operating system package or component

httpd
Operating systems & Components / Operating system package or component

Vendor openEuler

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Buffer overflow

EUVDB-ID: #VU56679

Risk: Medium

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-39275

CWE-ID: CWE-119 - Memory corruption

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system or perform a denial of service attack.

The vulnerability exists due to a boundary error within the ap_escape_quotes()  function. A remote attacker can send a specially crafted request to the web server, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that the Apache module passes untrusted data to the affected function.

According to vendor, No included modules pass untrusted data to these functions

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 20.03 LTS SP1 - 20.03 LTS SP2

httpd-filesystem: before 2.4.43-10

httpd-help: before 2.4.43-10

httpd-tools: before 2.4.43-10

httpd-debugsource: before 2.4.43-10

mod_session: before 2.4.43-10

mod_md: before 2.4.43-10

mod_ssl: before 2.4.43-10

httpd-debuginfo: before 2.4.43-10

mod_proxy_html: before 2.4.43-10

httpd-devel: before 2.4.43-10

mod_ldap: before 2.4.43-10

httpd: before 2.4.43-10

CPE2.3 External links

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1387


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###