Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3239
USN-5090-3 and USN-5090-4: Apache HTTP Server regression
29 September 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Apache HTTP Server
Publisher: Ubuntu
Operating System: Ubuntu
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-40438 CVE-2021-39275 CVE-2021-36160
CVE-2021-34798 CVE-2021-33193
Reference: ESB-2021.3229
ESB-2021.3148
Original Bulletin:
https://ubuntu.com/security/notices/USN-5090-3
https://ubuntu.com/security/notices/USN-5090-4
Comment: This bulletin contains two (2) Ubuntu security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
USN-5090-3: Apache HTTP Server regression
28 September 2021
USN-5090-1 introduced a regression in Apache HTTP Server.
Releases
o Ubuntu 21.04
o Ubuntu 20.04 LTS
o Ubuntu 18.04 LTS
Packages
o apache2 - Apache HTTP server
Details
USN-5090-1 fixed vulnerabilities in Apache HTTP Server. One of the upstream
fixes introduced a regression in UDS URIs. This update fixes the problem.
Original advisory details:
James Kettle discovered that the Apache HTTP Server HTTP/2 module
incorrectly handled certain crafted methods. A remote attacker could
possibly use this issue to perform request splitting or cache poisoning
attacks. ( CVE-2021-33193 )
It was discovered that the Apache HTTP Server incorrectly handled certain
malformed requests. A remote attacker could possibly use this issue to
cause the server to crash, resulting in a denial of service.
( CVE-2021-34798 )
Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly
handled certain request uri-paths. A remote attacker could possibly use
this issue to cause the server to crash, resulting in a denial of service.
This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04.
( CVE-2021-36160 )
It was discovered that the Apache HTTP Server incorrectly handled escaping
quotes. If the server was configured with third-party modules, a remote
attacker could use this issue to cause the server to crash, resulting in a
denial of service, or possibly execute arbitrary code. ( CVE-2021-39275 )
It was discovered that the Apache mod_proxy module incorrectly handled
certain request uri-paths. A remote attacker could possibly use this issue
to cause the server to forward requests to arbitrary origin servers.
( CVE-2021-40438 )
Update instructions
The problem can be corrected by updating your system to the following package
versions:
Ubuntu 21.04
o apache2 - 2.4.46-4ubuntu1.3
o apache2-bin - 2.4.46-4ubuntu1.3
Ubuntu 20.04
o apache2 - 2.4.41-4ubuntu3.6
o apache2-bin - 2.4.41-4ubuntu3.6
Ubuntu 18.04
o apache2 - 2.4.29-1ubuntu4.18
o apache2-bin - 2.4.29-1ubuntu4.18
In general, a standard system update will make all the necessary changes.
References
o https://launchpad.net/bugs/1945311
- --------------------------------------------------------------------------------
USN-5090-4: Apache HTTP Server regression
28 September 2021
USN-5090-1 introduced a regression in Apache HTTP Server.
Releases
o Ubuntu 16.04 ESM
Packages
o apache2 - Apache HTTP server
Details
USN-5090-1 fixed vulnerabilities in Apache HTTP Server. One of the upstream
fixes introduced a regression in UDS URIs. This update fixes the problem.
Original advisory details:
James Kettle discovered that the Apache HTTP Server HTTP/2 module
incorrectly handled certain crafted methods. A remote attacker could
possibly use this issue to perform request splitting or cache poisoning
attacks. ( CVE-2021-33193 )
It was discovered that the Apache HTTP Server incorrectly handled certain
malformed requests. A remote attacker could possibly use this issue to
cause the server to crash, resulting in a denial of service.
( CVE-2021-34798 )
Li Zhi Xin discovered that the Apache mod_proxy_uwsgi module incorrectly
handled certain request uri-paths. A remote attacker could possibly use
this issue to cause the server to crash, resulting in a denial of service.
This issue only affected Ubuntu 20.04 LTS and Ubuntu 21.04.
( CVE-2021-36160 )
It was discovered that the Apache HTTP Server incorrectly handled escaping
quotes. If the server was configured with third-party modules, a remote
attacker could use this issue to cause the server to crash, resulting in a
denial of service, or possibly execute arbitrary code. ( CVE-2021-39275 )
It was discovered that the Apache mod_proxy module incorrectly handled
certain request uri-paths. A remote attacker could possibly use this issue
to cause the server to forward requests to arbitrary origin servers.
( CVE-2021-40438 )
Update instructions
The problem can be corrected by updating your system to the following package
versions:
Ubuntu 16.04
o apache2 - 2.4.18-2ubuntu3.17+esm3
Available with UA Infra or UA Desktop
o apache2-bin - 2.4.18-2ubuntu3.17+esm3
Available with UA Infra or UA Desktop
In general, a standard system update will make all the necessary changes.
References
o https://launchpad.net/bugs/1945311
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYVPEMuNLKJtyKPYoAQjHlxAAlz6UnUbMMkVLQMU3l7rZdyIBgcrHIHbZ
RHcQQzWKumcG1CYTkRE9EkHWW3hGz7drVkgT2uS+YwsAXA7dGHov6k4BOX3TQqRQ
yMa9/6vW795JkXAXni4hqtNTz+utbema/RB/ZQPJgj5/1G8NJz7OrXuE2xlllp5r
6lR9o5xt0V7vI0ys0h8Ao9z9etki1uC0pTn7GYRhG1YY5lBw9cy7GwpF6wO39C/0
uBNVZNOK6qI+rWf4QZBOxB1rBsZDYVe2QimFNs33Dycl5shXTsT/yVHQqDuXtC9H
E+GjO9nDNJG4Ege7yABn7A+ogTvgZnweNmhifEQ7UABJyV1vkhpGUNbo/a8/FX79
XOBsaIM0fs3F6Rqk4UVySIZ3nytu9c/TfpN1ExEbDHp7LmJYxdy82H9OzzCfoEAF
rkwfUlWoUXZz5ohmTWk4m2yk/1O1ZoVbnwWEsd3T9q/Q4oqGwc2apF0iFIP0pt1P
LHpf1EAzXZFoJKpuR2yUMbnFwCIazmlFmWoXWOanJwYcMiaZrYjK0jG7ok/OOK9y
yQygNqVos9FiN7CG2J9W3Y9OM568RWlDdZNgHCaVMeQcsklG46tWu9pk20PSrfyT
pE+TTJ/t8i2qBGnaI/AlvW3lkYvBeAnbewE7wWBrtONHEohyBTInZ+L98CwDMm++
1spupRlNxdk=
=gejM
-----END PGP SIGNATURE-----