|
Message-ID: <bbb8b568-9512-02e4-60ec-3df480af3430@rs-labs.com> Date: Sat, 9 Oct 2021 19:42:47 +0200 From: Roman Medina-Heigl Hernandez <roman@...labs.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2021-42013: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) Thanks Yann, I'm happy you agree with my analysis. It also seems to match the one by your colleage Stefan (that you referenced). I just wanted to clarify that the impact of both CVEs is exactly the same: RCE and/or arbitrary file read and/or none, depending on httpd config :-). There's no difference between Apache 2.4.49 and 2.4.50 in that regard. But reading the blog post by Stefan (https://github.com/icing/blog/blob/main/httpd-2.4.50.md) and Apache HTTP 2.4 vulns security page (https://httpd.apache.org/security/vulnerabilities_24.html) as well, I feel like you are associating the RCE impact to 2.4.50 and the arbitrary file read to 2.4.49. That's misleading. Examples: - blog post "With Apache 2.4.50 the team fixed CVE-2021-41773, a critical security flaw that allowed under certain conditions an outside to access files on your server outside of the configured document roots." -> You forget to mention the RCE. "Affection, 2.4.49" -> You go for arbitrary file read example. "Affection, 2.4.50" -> Then you go for RCE example. - security page "Fixed in Apache HTTP Server 2.4.51 critical: Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)" -> It states RCE (right) but perhaps you should also note the arbitrary file read impact. "Fixed in Apache HTTP Server 2.4.50 ... critical: Path traversal and file disclosure vulnerability in Apache HTTP Server 2.4.49 (CVE-2021-41773)" -> It doesn't states the RCE (wrong), only the arbitrary file read ("file disclosure"). I'm sure this is unintentional and yes, it's only matter of wording but it's kind of misleading, imho. I'd kindly advise for it to be fixed. And I also take this opportunity to thank ASF and particularly the folks like Yann and Stefan whose work makes Apache httpd possible. C'u in apache-nosejob-202x.c !!! :-) Cheers, -r El 08/10/2021 a las 23:27, Yann Ylavic escribió: > On Fri, Oct 8, 2021 at 11:10 PM Solar Designer <solar@...nwall.com> wrote: >> On Fri, Oct 08, 2021 at 08:37:33PM +0200, Yann Ylavic wrote: >>> On Fri, Oct 8, 2021 at 8:53 AM Roman Medina-Heigl Hernandez >>> <roman@...labs.com> wrote: >>>> I posted RCE exploit for this (it works for both CVEs: 41773 & 42013) >>>> and some other details regarding requirements / exploitability, which >>>> you may find useful at: >>>> >>>> https://twitter.com/roman_soft/status/1446252280597078024 >>> Thanks, that's fair analysis. >> Yann is probably referring to the full tweet thread by Roman, not just >> the one tweet that Roman posted in here. Let me correct that: > Exactly, thanks Alexander and sorry if I wasn't clear enough. > > For completeness I'll add this tweet/blog from Stefan (OP) about the > vulnerability and the fixes in httpd: > https://twitter.com/icing/status/1446504661448593408 > > Regards; > Yann. -- Saludos, -Román
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.