Amazon Linux AMI update for httpd24

Published: 2022-01-20

Risk	Critical
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2021-44224 CVE-2021-44790
CWE-ID	CWE-918 CWE-119
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	Amazon Linux AMI Operating systems & Components / Operating system
Vendor	Amazon Web Services

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU59057

Risk: Medium

CVSSv3.1: 6.3 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-44224

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input in forward proxy configurations. A remote attacker can send a specially crafted HTTP request and trick the web server to initiate requests to arbitrary systems or cause NULL pointer dereference error and crash the web server.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

SSRF if possible for configuration that mix forward and reverse proxy.

Mitigation

Update the affected packages:

i686:
    mod24_ssl-2.4.52-1.95.amzn1.i686
    httpd24-2.4.52-1.95.amzn1.i686
    httpd24-devel-2.4.52-1.95.amzn1.i686
    httpd24-tools-2.4.52-1.95.amzn1.i686
    mod24_md-2.4.52-1.95.amzn1.i686
    mod24_proxy_html-2.4.52-1.95.amzn1.i686
    httpd24-debuginfo-2.4.52-1.95.amzn1.i686
    mod24_session-2.4.52-1.95.amzn1.i686
    mod24_ldap-2.4.52-1.95.amzn1.i686

noarch:
    httpd24-manual-2.4.52-1.95.amzn1.noarch

src:
    httpd24-2.4.52-1.95.amzn1.src

x86_64:
    mod24_ssl-2.4.52-1.95.amzn1.x86_64
    httpd24-tools-2.4.52-1.95.amzn1.x86_64
    mod24_ldap-2.4.52-1.95.amzn1.x86_64
    httpd24-debuginfo-2.4.52-1.95.amzn1.x86_64
    mod24_proxy_html-2.4.52-1.95.amzn1.x86_64
    mod24_session-2.4.52-1.95.amzn1.x86_64
    mod24_md-2.4.52-1.95.amzn1.x86_64
    httpd24-devel-2.4.52-1.95.amzn1.x86_64
    httpd24-2.4.52-1.95.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

External links

http://alas.aws.amazon.com/ALAS-2022-1560.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Buffer overflow

EUVDB-ID: #VU59056

Risk: Critical

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-44790

CWE-ID: CWE-119 - Memory corruption