Rewterz Threat Alert – Oski Data Stealer Malware – Active IOCs
September 17, 2021Rewterz Threat Alert – Bitter APT Group – Active IOCs
September 17, 2021Rewterz Threat Alert – Oski Data Stealer Malware – Active IOCs
September 17, 2021Rewterz Threat Alert – Bitter APT Group – Active IOCs
September 17, 2021Severity
Medium
Analysis Summary
CVE-2021-39239
Apache Jena could allow a remote attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations. By using a specially-crafted XML content, a remote attacker could exploit this vulnerability to read arbitrary files on the server.
CVE-2021-39275
Apache HTTP Server is vulnerable to a buffer overflow, caused by improper bounds checking by the ap_escape_quotes() function. By sending specially crafted input, a remote attacker could write beyond the end of a buffer.
CVE-2021-40438
Apache HTTP Server is vulnerable to server-side request forgery, caused by an error in mod_proxy. By sending a specially crafted request uri-path, a remote attacker could exploit this vulnerability to forward the request to an origin server chosen by the remote user.
CVE-2021-36160
Apache HTTP Server is vulnerable to a denial of service, caused by an out-of-bounds read in mod_proxy_uwsgi. By sending a specially crafted request uri-path, a remote attacker could exploit this vulnerability to read above the allocated memory and cause the server to crash.
CVE-2021-34798
Apache HTTP Server is vulnerable to a denial of service, caused by a NULL pointer dereference in httpd core. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
Impact
- Information Disclosure
- Buffer Overflow
- Unauthorized Access
- Denial of Service
Affected Vendors
- Apache
Affected Products
- Apache Jena 4.1.0
- Apache HTTP Server 2.4.0
- Apache HTTP Server 2.4.1
- Apache HTTP Server 2.4.2
- Apache HTTP Server 2.4.3
- Apache HTTP Server 2.4.4
- Apache HTTP Server 2.4.7
- Apache HTTP Server 2.4.6
- Apache HTTP Server 2.4.9
- Apache HTTP Server 2.4.10
- Apache HTTP Server 2.4.12
- Apache HTTP Server 2.4.18
- Apache HTTP Server 2.4.20
- Apache HTTP Server 2.4.17
- Apache HTTP Server 2.4.23
- Apache HTTP Server 2.4.29
- Apache HTTP Server 2.4.33
- Apache HTTP Server 2.4.25
- Apache HTTP Server 2.4.26
- Apache HTTP Server 2.4.27
- Apache HTTP Server 2.4.28
- Apache HTTP Server 2.4.34
- Apache HTTP Server 2.4.35
- Apache HTTP Server 2.4.37
- Apache HTTP Server 2.4.39
- Apache HTTP Server 2.4.41
- Apache HTTP Server 2.4.43
- Apache HTTP Server 2.4.46
- Apache HTTP Server 2.4.48
Remediation
Upgrade to the latest version of Apache Jena, available from the Apache Web site.
Upgrade to the latest version of Apache HTTP Server, available from the Apache Web site.