CVE-2021-40438: Apache HTTP Server SSRF
What this means
CVE-2021-40438 is a Server-Side Request Forgery (SSRF) vulnerability found in Apache HTTP Server versions 2.4.48 and earlier.
The issue is due to improper handling of requests in the mod_proxy module when the ‘forward’ feature is enabled.
Why this is a problem
Successful exploitation could allow attackers to obtain or tamper with resources that would potentially otherwise be unavailable to them.
Since Apache HTTP Server is commonly bundled across a wide ecosystem of products, the vulnerability has broad impact potential.
The vulnerability could be used to bypass IP-based authentication on origin servers or applications and can lead to:
- initiating network reconnaissance – attackers can scan internal services and determine which ports are open
- bypassing security controls – attackers can interact with systems that should not be publicly accessible
- data exfiltration – attackers can get access to confidential data stored in internal servers or cloud metadata services
- exploitation of internal services and Denial of Service – attackers could send repeated requests to overwhelm internal resources
How to check if the problem is there
An administrator should check the version of Apache server and if the mod_proxy module has been deployed.
Apache HTTP Server 2.4.48 and earlier versions are currently vulnerable.
How to fix this
The recommended fix is to upgrade Apache HTTP Server to a version of 2.4.49 or later.
Other fixes can include:
- disabling unused mod_proxy Features – if mod_proxy is not required, disable it completely
- restricting proxy requests in configuration – modify the Apache configuration file to limit mod_proxy access and prevent SSRF
<Proxy "*">
Require local
Deny from all
</Proxy> - implementing input validation – prevent user-controlled input from influencing proxy destinations by validating and sanitizing user inputs