CVE-2021-40438: mod_proxy SSRF
First published: Thu Sep 16 2021(Updated: )
A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jbcs-httpd24-httpd | <0:2.4.37-76.el8 | 0:2.4.37-76.el8 |
| redhat/jbcs-httpd24-httpd | <0:2.4.37-76.jbcs.el7 | 0:2.4.37-76.jbcs.el7 |
| redhat/httpd | <0:2.4.6-97.el7_9.1 | 0:2.4.6-97.el7_9.1 |
| redhat/httpd | <0:2.4.6-40.el7_2.7 | 0:2.4.6-40.el7_2.7 |
| redhat/httpd | <0:2.4.6-45.el7_3.6 | 0:2.4.6-45.el7_3.6 |
| redhat/httpd | <0:2.4.6-67.el7_4.7 | 0:2.4.6-67.el7_4.7 |
| redhat/httpd | <0:2.4.6-89.el7_6.2 | 0:2.4.6-89.el7_6.2 |
| redhat/httpd | <0:2.4.6-90.el7_7.1 | 0:2.4.6-90.el7_7.1 |
| redhat/httpd24-httpd | <0:2.4.34-22.el7.1 | 0:2.4.34-22.el7.1 |
| debian/apache2 | 2.4.38-3+deb10u8 2.4.38-3+deb10u10 2.4.56-1~deb11u2 2.4.56-1~deb11u1 2.4.57-2 2.4.57-3 2.4.58-1 | |
| redhat/httpd | <2.4.49 | 2.4.49 |
| Apache HTTP Server | ||
| Apache HTTP Server | <=2.4.48 | |
| Fedora | =34 | |
| Fedora | =35 | |
| Debian | =9.0 | |
| Debian | =10.0 | |
| Debian | =11.0 | |
| NetApp Cloud Backup | ||
| IBM Data ONTAP | ||
| NetApp StorageGrid | ||
| F5 F5OS | >=1.1.0<=1.1.4 | |
| F5 F5OS | >=1.2.0<=1.2.1 | |
| Oracle Enterprise Manager Ops Center | =12.4.0.0 | |
| Oracle HTTP Server | =12.2.1.3.0 | |
| Oracle HTTP Server | =12.2.1.4.0 | |
| Oracle Instantis EnterpriseTrack | =17.1 | |
| Oracle Instantis EnterpriseTrack | =17.2 | |
| Oracle Instantis EnterpriseTrack | =17.3 | |
| Tarantella Secure Global Desktop | =5.6 | |
| Oracle Storage Cloud Software Appliance | =8.8 | |
| Siemens SINEC NMS SP1 Update 1 | ||
| Siemens SINEMA Server SP3 | =14.0 | |
| Broadcom Fabric Operating System | ||
| Siemens Ruggedcom NMS | ||
| Siemens SINEC NMS SP1 Update 1 | <1.0.3 | |
| Siemens SINEMA Remote Connect | <3.1 | |
| Siemens SINEMA Remote Connect | =3.2 | |
| Tenable.sc | <=5.19.1 |
Remedy
Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-40438 https://nvd.nist.gov/vuln/detail/CVE-2021-40438
- https://bugzilla.redhat.com/show_bug.cgi?id=2005117
- https://access.redhat.com/errata/RHSA-2021:3746
- https://access.redhat.com/errata/RHSA-2021:3856
- https://access.redhat.com/errata/RHSA-2021:3816
- https://access.redhat.com/errata/RHSA-2021:3837
- https://access.redhat.com/errata/RHSA-2021:3836
- https://access.redhat.com/errata/RHSA-2021:3745
- https://access.redhat.com/errata/RHSA-2021:3754
- https://access.redhat.com/security/cve/cve-2021-40438
- https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-40438
- https://github.com/apache/httpd/commit/496c863776c68bd08cdbeb7d8fa5935ba63b76c2
- https://github.com/apache/httpd/commit/d4901cb32133bc0e59ad193a29d1665597080d67
- https://github.com/apache/httpd/commit/6e768a811c59ca6a0769b72681aaef381823339f
- https://github.com/apache/httpd/commit/81a8b0133b46c4cf7dfc4b5476ad46eb34aa0a5c
- https://security-tracker.debian.org/tracker/CVE-2021-40438
- https://cert-portal.siemens.com/productcert/pdf/ssa-685781.pdf
- https://httpd.apache.org/security/vulnerabilities_24.html
- https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a@%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37@%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432@%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c@%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697@%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029@%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00@%3Cusers.httpd.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/10/msg00001.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/
- https://security.gentoo.org/glsa/202208-20
- https://security.netapp.com/advisory/ntap-20211008-0004/
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-apache-httpd-2.4.49-VWL69sWQ
- https://www.debian.org/security/2021/dsa-4982
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.tenable.com/security/tns-2021-17
- https://lists.apache.org/thread.html/r210807d0bb55f4aa6fbe1512be6bcc4dacd64e84940429fba329967a%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r2eb200ac1340f69aa22af61ab34780c531d110437910cb9c0ece3b37%40%3Cbugs.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r3925e167d5eb1c75def3750c155d753064e1d34a143028bb32910432%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r61fdbfc26ab170f4e6492ef3bd5197c20b862ce156e9d5a54d4b899c%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r82838efc5fa6fc4c73986399c9b71573589f78b31846aff5bd9b1697%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/r82c077663f9759c7df5a6656f925b3ee4f55fcd33c889ba7cd687029%40%3Cusers.httpd.apache.org%3E
- https://lists.apache.org/thread.html/rf6954e60b1c8e480678ce3d02f61b8a788997785652e9557a3265c00%40%3Cusers.httpd.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SPBR6WUYBJNACHKE65SPL7TJOHX7RHWD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNCYSR3BXT36FFF4XTCPL3HDQK4VP45R/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2005118
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://svn.apache.org/viewvc?view=revision&revision=1893101
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2005117#c5
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2005117#c22
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1859720
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1859720&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1859722
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1859722&action=edit
- https://nvd.nist.gov/vuln/detail/CVE-2021-40438
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-40438?
CVE-2021-40438 is a Server-Side Request Forgery (SSRF) vulnerability found in Apache HTTP Server (httpd) that allows a remote attacker to make the server forward requests to an arbitrary server.
How severe is CVE-2021-40438?
CVE-2021-40438 has a severity level of critical, with a CVSS score of 9.0.
Which software versions are affected by CVE-2021-40438?
CVE-2021-40438 affects Apache HTTP Server (httpd) versions up to and including 2.4.49.
How can I fix CVE-2021-40438?
To fix CVE-2021-40438, upgrade to Apache HTTP Server (httpd) version 2.4.49 or apply the recommended patches provided by your software vendor.
Where can I find more information about CVE-2021-40438?
You can find more information about CVE-2021-40438 on the Apache HTTP Server security vulnerabilities page and the Red Hat Bugzilla page.
- collector/redhat-cve
- collector/security-tracker-debian
- agent/type
- agent/first-publish-date
- agent/severity
- agent/remedy
- agent/weakness
- agent/author
- agent/description
- agent/references
- agent/event
- agent/trending
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-40438
- agent/software-canonical-lookup
- agent/source
- agent/title
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup-request
- agent/tags
- collector/nvd-index
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- collector/nvd-api
- package-manager/redhat
- package-manager/debian
- vendor/apache
- canonical/apache http server
- version/apache http server/2.4.48
- vendor/fedoraproject
- canonical/fedora
- version/fedora/34
- version/fedora/35
- vendor/debian
- canonical/debian
- version/debian/9.0
- version/debian/10.0
- version/debian/11.0
- vendor/netapp
- canonical/netapp cloud backup
- canonical/ibm data ontap
- canonical/netapp storagegrid
- vendor/f5
- canonical/f5 f5os
- version/f5 f5os/1.1.0
- version/f5 f5os/1.1.4
- version/f5 f5os/1.2.0
- version/f5 f5os/1.2.1
- vendor/oracle
- canonical/oracle enterprise manager ops center
- version/oracle enterprise manager ops center/12.4.0.0
- canonical/oracle http server
- version/oracle http server/12.2.1.3.0
- version/oracle http server/12.2.1.4.0
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.2
- version/oracle instantis enterprisetrack/17.3
- canonical/tarantella secure global desktop
- version/tarantella secure global desktop/5.6
- canonical/oracle storage cloud software appliance
- version/oracle storage cloud software appliance/8.8
- vendor/siemens
- canonical/siemens sinec nms sp1 update 1
- canonical/siemens sinema server sp3
- version/siemens sinema server sp3/14.0
- vendor/broadcom
- canonical/broadcom fabric operating system
- canonical/siemens ruggedcom nms
- canonical/siemens sinema remote connect
- version/siemens sinema remote connect/3.2
- vendor/tenable
- canonical/tenable.sc
- version/tenable.sc/5.19.1