You are here
CVE-2021-40438
Last update on 4. October 2021 - 10:55.
Apache HTTP server released version 2.4.49 fixing 6 CVEs.
Airlock Gateway uses Apache HTTP server as a web listener for the WAF/API Gateway engine as well as for the Configuration Center.
Airlock Gateway may be vulnerable, please see resolution.
Details:
CVE-2021-33193
Airlock Gateway is not affected by default. See [4] if you changed the default Allow Rule settings.
CVE-2021-34798
NULL pointer dereference in mod_status module. Attacker may crash the server. mod_status is not used by default by Airlock Gateway but is available and can be enabled with Apache Expert Settings [3]. If you are using mod_status we recommend following the resolution details below.
CVE-2021-36160
The affected module mod_proxy-uwsgi is not used by Airlock Gateway.
CVE-2021-39275
Our custom Apache module mod_airlock does not use the affected function ap_escape_quotes. Default Apache modules are not affected as well (see [1]).
CVE-2021-40438
Affects mod_proxy which is used by the Configuration Center Management Apache Server. Airlock Gateway is not affected because the static configuration of mod_proxy is safe, i.e. the vulnerability can not be exploited.
- If you are using mod_status (can only be activated using custom Apache Expert Settings) we recommend to set the Apache Expert Setting "ExtendedStatus Off" [3] which prevents exploitation of CVE-2021-34798. Note that an IP restriction according to [2] for mod_status will not prevent exploitation of the vulnerability but is recommended anyway.
- See [4] if you changed the default Allow Rule settings of Airlock Gateway.