A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier. Reference: https://httpd.apache.org/security/vulnerabilities_24.html
Created httpd tracking bugs for this issue: Affects: fedora-all [bug 2005118]
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Enterprise Application Platform 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
As this issue seems about Unix sockets (UDS), it does not affect the versions of httpd shipped in RHEL 6 and 7 because support for unix: in mod_proxy was added only in upstream versions 2.4.7 and later. RHEL 6 and RHEL 7 ship older versions which do not include the UDS feature.
An attacker can use this flaw to perform all kind of HTTP methods, like GET, POST, DELETE, etc.
Scope set to Changed (S:C) because this flaw allows to perform requests on other services as if they would come from the httpd server, thus the real impact is to the data and services available elsewhere and not on the httpd server itself. Attack Complexity set to High (AC:H) because an attacker would need to first perform target-specific reconnaissance in order to find out the available services and their endpoints.
Upstream patch: https://svn.apache.org/viewvc?view=revision&revision=1893101
In reply to comment #5: > As this issue seems about Unix sockets (UDS), it does not affect the > versions of httpd shipped in RHEL 6 and 7 because support for unix: in > mod_proxy was added only in upstream versions 2.4.7 and later. RHEL 6 and > RHEL 7 ship older versions which do not include the UDS feature. Correction on this: RHEL7 got a backport for the Unix Domain Sockets feature in mod_proxy, thus making it vulnerable to this flaw.
This issue has been addressed in the following products: Red Hat JBoss Core Services Via RHSA-2021:3745 https://access.redhat.com/errata/RHSA-2021:3745
This issue has been addressed in the following products: JBoss Core Services on RHEL 7 JBoss Core Services for RHEL 8 Via RHSA-2021:3746 https://access.redhat.com/errata/RHSA-2021:3746
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-40438
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2021:3754 https://access.redhat.com/errata/RHSA-2021:3754
(In reply to Product Security DevOps Team from comment #22) > This bug is now closed. Further updates for individual products will be > reflected on the CVE page(s): > > https://access.redhat.com/security/cve/cve-2021-40438 Why is it closed if it is not (yet) fixed on RHEL7 nor RHEL8 ?
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3816 https://access.redhat.com/errata/RHSA-2021:3816
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3837 https://access.redhat.com/errata/RHSA-2021:3837
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3836 https://access.redhat.com/errata/RHSA-2021:3836
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Red Hat Enterprise Linux 7.4 Advanced Update Support Red Hat Enterprise Linux 7.6 Advanced Update Support Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions Red Hat Enterprise Linux 7.6 Telco Extended Update Support Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 7.7 Advanced Update Support Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions Red Hat Enterprise Linux 7.7 Telco Extended Update Support Red Hat Enterprise Linux 7.2 Advanced Update Support Via RHSA-2021:3856 https://access.redhat.com/errata/RHSA-2021:3856
Created attachment 1859720 [details] Apache HTTP Server mod_proxy 模块 SSRF漏洞
Created attachment 1859722 [details] Apache HTTP Server mod_proxy 模块 SSRF漏洞