Updatesĭecember 1, 2021: CISA has added CVE-2021-40438 to its list of Known Exploited Vulnerabilities and specified a remediation date of Decemfor federal agencies. InsightVM and Nexpose customers can assess their exposure to CVE-2021-40438 with both authenticated and unauthenticated vulnerability checks. NVD’s entry for CVE-2021-40438 includes several downstream vendor advisories. We advise paying close attention particularly to firewall or other security boundary product advisories and prioritizing updates for those solutions. Rapid7 Labs has observed over 4 million potentially vulnerable instances of Apache httpd 2.x: Mitigation guidanceĪpache HTTP Server versions 2.4.49 and 2.4.50 included other severe vulnerabilities that are known to be exploited in the wild, so Apache httpd customers should upgrade to the latest version (2.4.51 at time of writing) instead of upgrading incrementally. CVE-2021-40438 is patched in Apache HTTP Server 2.4.49 and later. Affected versionsĪccording to Apache’s advisory, all Apache HTTP Server versions up to 2.4.48 are vulnerable if mod_proxy is in use. Rapid7's vulnerability research team has a detailed technical analysis of this vulnerability in AttackerKB, including a demo of how it can be exploited. As of November 30, 2021, there is no evidence yet of widespread attacks, but given httpd’s prevalence and typical exposure levels (and the fact that it’s commonly bundled across a wide ecosystem of products), it’s likely exploitation will continue - and potentially increase. Several sources have confirmed that they have seen exploit attempts of CVE-2021-40438 in the wild. To be exploitable, CVE-2021-40438 requires that mod_proxy be enabled. Cisco, for example, has more than 20 products they are investigating as potentially affected by CVE-2021-40438, including a number of network infrastructure solutions and security boundary devices. Since other vendors bundle HTTP Server in their products, we expect to see a continued trickle of downstream advisories as third-party software producers update their dependencies. The vulnerability resides in mod_proxy and allows remote, unauthenticated attackers to force vulnerable HTTP servers to forward requests to arbitrary servers - giving them the ability to obtain or tamper with resources that would potentially otherwise be unavailable to them. I have checked the 1.jsp file but it hasn't been created yet: GET /1.jsp/ HTTP/1.1Īccept: text/html,application/xhtml+xml,application/xml q=0.9,image/webp,image/apng,*/* q=0.8,application/signed-exchange v=b3 q=0.On September 16, 2021, Apache released version 2.4.49 of HTTP Server, which included a fix for CVE-2021-40438, a critical server-side request forgery (SSRF) vulnerability affecting Apache HTTP Server 2.4.48 and earlier versions. (The POST request even does not appear any error or response). I have tried the POST but it just proves that there is a special thing in the PUT method: POST /1.jsp/ HTTP/1.1 It proves that the server has handled the request, it may works but not. The server may has decoded the content in the body of the request, but the % o is not a valid URL character, so the error turns out. I found that the error is from the Java URLDecoder. Whitelabel Error PageThis application has no explicit mapping for /error, so you are seeing this as a fallback.Fri Apr 17 11:07:There was an unexpected error (type=Internal Server Error, status=500).URLDecoder: Illegal hex characters in escape (%) pattern - For input string: ' o' User-Agent: Mozilla/5.0 (Windows NT 10.0 Win64 圆4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/.149 Safari/537.36Īccept: text/html,application/xhtml+xml,application/xml q=0.9,image/webp,image/apng,*/* q=0.8,application/signed-exchange v=b3 q=0.9Ĭontent-Type: application/x-www-form-urlencodedĬontent-Type: text/html charset=ISO-8859-1 But when I sent the exploit request, there is an error: PUT /1.jsp/ HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1 Win64 圆4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/.113 Safari/537.36Īccept: text/html,application/xhtml+xml,application/xml q=0.9,image/webp,image/apng,*/* q=0.8Īccept-Language: en-US,en q=0.8,zh-CN q=0.6,zh q=0.4,zh-TW q=0.2Ĭookie: JSESSIONID=A27674F21B3308B4D893205FD2E2BF94Īnd after some testing, I found that the server enabled the PUT method. Talk about Tomcat, there was a vulnerability found in 2017: CVE-2017-12617.Īny Apache Tomcat server with enabled PUT request method will allow the attacker to create a JSP file in the server through a crafted request and will lead to RCE: PUT /1.jsp/ HTTP/1.1 Real military aircraft, such as this Grumman F-14 Tomcat, frequently appear in works of fiction. When doing some research, I found a subdomain that is using Apache Tomcat. films, toys, TV programs, video games, and other media.
0 Comments
Leave a Reply. |