Information on CVE-2021-44790 and CVE-2021-44224 affecting Apache HTTP Server 2.4.51 and earlier
9425
Created On 12/31/21 01:31 AM - Last Modified 06/24/25 04:32 AM
Symptom
Looking for information in the detail of both CVE-2021-44790 and CVE-2021-44224 vulnerabilities in the perspective of Palo Alto Software (PanOS) and IPS coverage information.
Environment
- Palo Alto Firewalls
- Any PAN-OS
- Apache HTTP Server 2.4.51 and earlier.
Cause
- Palo Alto Firewall (PanOS Software) are not using any features that is vulnerable to the CVE-2021-44790 (mod_lua) and CVE-2021-44224 (forward proxy).
- The signature for CVE-2021-44790 was released in content version 8522 .
- We are currently monitoring for potential Proof of Concept (PoC) for the signature coverage of CVE-2021-44224. Please refer to the article below for more information.
- The signatures will be made available on Threat Vault when released. This link can be periodically checked for updates.
Resolution
Resolution:
- The vulnerability is fixed Apache HTTP Server version 2.4.52 and later. Please upgrade to the fixed version to mitigate the vulnerability.
Note: Please review the impact and risk of the vulnerability before upgrading/performing the workaround. Involve the Application Owner if required.
Workaround:
- For CVE-2021-44790, make sure that "mod_lua" is disabled.
- For CVE-2021-44224, make sure "ProxyRequests on" is commented/not used in the httpd.conf.
- Proceed Restarting httpd services on the server.
Additional Information
CVE-2021-44790: Possible buffer overflow when parsing multipart content in
mod_lua of Apache HTTP Server 2.4.51A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerability though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.
CVE-2021-44224: Possible NULL dereference or SSRF in forward proxy configurations in Apache HTTP Server 2.4.51 and earlier.
A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).
https://nvd.nist.gov/vuln/detail/CVE-2021-44790
https://nvd.nist.gov/vuln/detail/CVE-2021-44224
18 Mar 22 (Vijay) - Content Std updated with Mariano and published external.