Critical Apache HTTPD Server Bugs Could Lead to RCE, DoS
upstart writes:
Critical Apache HTTPD Server Bugs Could Lead to RCE, DoS:
Don't duck at the latest mention of Apache: Two critical bugs in its HTTP web server - HTTPD - need to be patched pronto, lest they lead to attackers triggering denial of service (DoS) or bypassing your security policies.
Apache, the open-source software foundation behind the Log4J logging library that's been making for so many Log4Shell headlines, on Monday put out an update to fix the two bugs in HTTPD, which is a web server that's right up there with Log4j in its ubiquity.
Both vulnerabilities are found in Apache HTTP Server 2.4.51 and earlier.
[...] In a Tuesday writeup of the two CVEs, Sophos principal security researcher Paul Ducklin said that the two bugs could leave servers at risk of some serious hurt.
"These bugs might not be exposed in your configuration, because they are part of optional run-time modules that you might not actually be using," Ducklin noted. "But if you are using these modules, whether you realize it or not, you could be at risk of server crashes, data leakage or even remote code execution."
Read more of this story at SoylentNews.