Skip to content

OSG-SEC-2021-11-03 HIGH severity vulnerability in Apache HTTP mod_proxy

Dear OSG Security Contacts,

A Server-Side Request Forgery (SSRF) flaw was found in mod_proxy of httpd (CVE-2021-40438) [1]. The OSG Security Team considers this vulnerability to be of HIGH severity for affected systems.

IMPACTED VERSIONS:

mod_proxy on Apache HTTP Server 2.4.48 and earlier

WHAT ARE THE VULNERABILITIES:

A Server-Side Request Forgery (SSRF) flaw was found in mod_proxy of httpd. This flaw allows a remote, unauthenticated attacker to make the httpd server forward requests to an arbitrary server. The attacker could get, modify, or delete resources on other services that may be behind a firewall and inaccessible otherwise. The impact of this flaw varies based on what services and resources are available on the httpd network. [1][2]

WHAT YOU SHOULD DO:

Sites should update as soon as possible, for updated packages and installation information see below.

For sites running RHEL 8/7 and CentOS see [2]

For sites running Debian see [3]

For sites running Ubuntu see [4]

For sites running Scientific Linux see [5]

REFERENCES

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-40438

[2] https://access.redhat.com/security/cve/CVE-2021-40438

[3] https://security-tracker.debian.org/tracker/CVE-2021-40438

[4] https://ubuntu.com/security/CVE-2021-40438

[5] https://scientificlinux.org/category/sl-errata/

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team