Don’t forget “the other Apache”
Rewind to the oh-so-recent pre-Log4j era and we suggest that you’d get a different pair of answers, namely:
A1. Yes. A2. Apache’s a web server, isn’t it? (Actually, it’s a software foundation that makes a web server, amongst much else.)
A1. Yes. A2. Apache makes httpd
, probably still the world’s most prevalent web server.
With more than 3000 files totalling close to a million lines of source code, Apache httpd
is a large and capable server, with myriad combinations of modules and options making it both powerful and dangerous at the same time.
Fortunately, the open source httpd
product receives constant attention from its developers, getting regular updates that bring new features along with critical security patches.
So, in all the excitement about Apache Log4j, don’t forget that:
- You almost certainly have Apache
httpd
in your network somewhere. Just like Log4j, httpd
has a habit of getting itself quietly included into software projects, for example as part of an internal service that works so well that it rarely draws attention to itself, or as a component built unobtrusively into a product or service you sell that isn’t predominantly thought of as “containing a web server”.
- Apache just published an
httpd
update that fixes two CVE-numbered security bugs. These bugs might not be exposed in your configuration, because they are part of optional run-time modules that you might not actually be using. But if you are using these modules, whether you realise it or not, you could be at risk of server crashes, data leakage, or even remote code execution.
What got fixed?
The two CVE-numbered flaws are listed in Apache’s own changelog as follows:
- CVE-2021-44790: Possible buffer overflow when parsing multipart content in
mod_lua
of Apache HTTP Server 2.4.51
- CVE-2021-44224: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier.
The good news about the first bug is that Apache itself warns that the mod_lua
server extension (which allows you to adapt the behaviour of httpd
using Lua scripts instead of having to write modules in C):
…holds a great deal of power over httpd
, which is both a strength and a potential security risk. It is not recommended that you use this module on a server that is shared with users you do not trust, as it can be abused to change the internal workings of httpd.
However, as Log4j has taught us, potentially exploitable bugs even on non-public servers can be troublesome if those bugs can be triggered by untrusted user data passed along by other internet-facing servers at your network edge.
And CVE-2021-44790 doesn’t involve sneaking any untrusted add-on Lua scripts into the configuration.
Instead, it involves simply tricking the “preprocessor” that prepares untrusted user content to be passed to trusted Lua scripts, so the attack does not depend on bugs or flaws in any of the add-on scripts you may have written yourself.
Multipart message splitting
Simply put, the CVE-2021-44790 bug exists in the code that deconstructs multipart messages, common in web form uploads.
Technically, each multipart component consists of the data after the end of each fully blank line (see above), and before each boundary line, which consists of two dashes (hyphens) followed by the unique boundary marker text.
(In case you are wondering, the extra double-dash at the end of the very last line above signals the final item in the list.)
A blank line in the raw data appears as two consecutive CRLF
(carriage return plus line feed) pairs, or the ASCII codes (13,10,13,10), denoted in C by the text string "\r\n\r\n"
.