1. summary of the vulnerability
The following 2 vulnerabilities were published on the same day:
(published December 20, 2021. CVSS base score: 8.2).
This vulnerability could allow a remote third party to send a crafted URI to crash the http server (null pointer dereference) if the server is configured as a forward proxy. Alternatively, this vulnerability could allow a remote third party to send a spoofed URI to be redirected to a declared Unix domain socket endpoint (server side request forgery) if the server is configured with a mixed forward and reverse proxy.
This issue affects the Apache HTTP Server, which is open source from the Apache Software Foundation, 2.4.7 to 2.4.51
- CVE-2021-44790 (published December 20, 2021. CVSS base score: 9.8)
This vulnerability could allow a remote third party to send carefully crafted HTTP requests to cause a buffer overflow if the server is configured to use a specific module "mod_lua" in Apache HTTP Server, which is open-sourced by the Apache Software Foundation.
This issue affects Apache HTTP Server 2.4.51 and earlier versions
Effects on our products
No products are affected by these vulnerabilities.
The Apache HTTP Server is not used in our products, with the exception of aQrate. The latest version of aQrate includes the affected version of Apache HTTP Server, but the corresponding configurations are NOT enabled during installation. Features provided by Forward Proxy or mod_lua are not used in the products.