Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Apache Server. Show all posts

Log4j 2.17.1 Is Out, And Fixes Yet Another Code Execution Flaw.

 

Apache has published Log4j version 2.17.1, which fixes CVE-2021-44832, a newly found code execution flaw. Prior to that, the most recent version of Log4j, 2.17.0, was considered the safest release to update, however that advice has since changed the Log4j vulnerability resource center to reflect current download trends and statistics for 2.17.1.

CheckMarx researchers have revealed details about the vulnerability in Log4j version 2.17.0, which was just released. Apache released this version a few days after two other patches that addressed the major Log4Shell attack and related problems. By altering the Log4j logging configuration file, attackers might execute remote code on a variety of servers or apps. It's one of the most well-known security weaknesses on the internet, affecting enterprise and government customers who use Log4j versions 2.0 through 2.14.1 in their environments.

Last month, a security researcher discovered yet another zero-day vulnerability in the Apache Log4j Java-based logging library, which threat actors may use to execute malicious code on compromised frameworks. This week, Apache released another version (Log4j rendition 2.17.1) that aims to fix the remote code execution (RCE) flaw in v2.17.0. 

Log4j is a well-known Java library built by the Apache Software Foundation, which is open-source. Designers use it to log error messages in large commercial systems and cloud administrations such as Minecraft, Steam, and Apple iCloud. 

Apache acknowledged the issue in an advisory, describing the moderate-severity flaw (CVSS 6.6) as follows – Attribution link: An attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI, which can execute remote code, in Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4).

The new Log4j CVE "only applies if an attacker can already edit the Log4j config file," according to security researcher Kevin Beaumont. "An attacker already owns your web app or host if they can edit your Log4j config file."

One of the most important lessons learned from the events surrounding Log4j is that it is humanly impossible for open source project maintainers to cover every possible attack vector while also correcting known vulnerabilities. This is why community-led vulnerability research and reporting is a benefit to open source. However, if not done properly, it can rapidly become a nuisance. 

"Irresponsible disclosures jeopardize the work of open source projects and their maintainers, and if not handled, this problem will only get worse." 

Another crucial point to note is that unlike the previous four Log4j CVEs revealed thus far, no one was credited with identifying CVE-2021-44832 according to Apache's official warning.

Apache Httpd 2.4.39 Fixed the Flaw Which Let Users Gain Root Access



A vulnerability in the Apache HTTP server which allows users to write and run scripts in order to gain root on Unix systems was patched in Apache httpd 2.4.39 release.

According to the changelog which was tracked as CVE-2019-0211, all Apache HTTP Server releases were impacted, starting from 2.4.17 to 2.4.38. Additionally, the execution of arbitrary code through scoreboard manipulation has also been made possible.

As the web server is employed for running shared hosting instances, Mark J. Cox, Apache Software Foundation and the OpenSSL project founding member, emphasized on the seriousness of the issue in a Twitter post he made about CVE-2019-0211 security issue.

Users with few permissions on the server would now be able to extend the privileges by making the use of scripts which run commands on defenseless Apache servers as root, Cox further explained.

Along with this major flaw, two other control bypass security vulnerabilities were also patched with the Apache HTTP Server 2.4.39 release.

Besides these three, the latest Apache httpd release also fixed three less severe flaws which potentially could have led to normalization inconsistency issues and crashes.

The privilege escalation vulnerability of significant severity was reported by a security engineer on February 22 along with a response and reportedly a fix have been provided by Apache on March 7.





Apache 2.2.20 released to fix DDoS vulnerability

Today, Apache 2.2.20 released to in order to fix the DDOS vulnerability reported few days back.

Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file.

For more Details:
https://www.apache.org/dist/httpd/Announcement2.2.html