The Apache HTTP server is one of the most widely used web servers in the world. However, like all software, it is not immune to vulnerabilities. And be careful, because this is a double vulnerability.
On 4 July, a critical security flaw was discovered affecting Apache version 2.4.60. This flaw is rated CVE-2024-39884.
The flaw allows the source code of PHP files to be disclosed. This is absolutely critical, as these files may contain, for example, database passwords or confidential proprietary code.
A patch was therefore released via version 2.4.61 of the Apache server... Except that this patch did not correctly correct the flaw! A second CVE has therefore been released, CVE-2024-40725, to re-identify this ultimately uncorrected flaw.
Here is a summary of these flaws and the corrections that have been made.
Update 30/07/2024: There is a possibility that this vulnerability is linked to a wave of hacks targeting sites hosted by o2switch. Nothing has been established with certainty as the means of exploiting these flaws and the scale of the problem are not yet public. Nor do I have any information from my hosting partner about the Apache versions used.
CVE-2024-39884
- Publication date : 4 July 2024
- Description : A regression in the kernel of the Apache HTTP Server version 2.4.60 means that certain configurations based on content type, such as «AddType», are not correctly taken into account. In some cases, this may result in the disclosure of the source code of local files, such as PHP scripts, which may be displayed as plain text instead of being interpreted.
- Solution: We recommend that you update to version 2.4.61, which fixes this problem.
- Link to the website CVE-2024-39884
CVE-2024-40725
- Publication date : 17 July 2024
- Description : This flaw is an additional correction to CVE-2024-39884. It reveals that version 2.4.61 does not completely correct the initial problem. In fact, certain configurations based on the content type can still lead to the disclosure of the source code of local files in certain circumstances.
- Solution: We recommend that you update to version 2.4.62, which fixes this problem once and for all.
- Link to the website CVE-2024-40725
Debian Patch Roadmap
Debian, the mother Linux distribution used by LRob, has also taken steps to correct these vulnerabilities in its various versions, either through the security repository or natively, depending on the version of the OS. Here is the roadmap for the fixes:
| Source Package | Release | Version | Status |
|---|---|---|---|
| apache2 (PTS) | bullseye | 2.4.59-1~deb11u1 | vulnerable |
| bullseye (security) | 2.4.61-1~deb11u1 | corrected | |
| bookworm | 2.4.59-1~deb12u1 | vulnerable | |
| bookworm (security) | 2.4.61-1~deb12u1 | corrected | |
| sid, trixie | 2.4.62-1 | corrected |
- Link to the website Debian patch roadmap
Status of LRob servers
All LRob servers are already up to date and correct this flaw.
Conclusion
Administrators of Apache HTTP servers should immediately check the version of their server and update to the corrected versions (2.4.61-1[security] or 2.4.62) to avoid any inadvertent disclosure of source code.
The open-source community continues to monitor and quickly correct vulnerabilities to ensure the security and reliability of software used by millions of servers around the world. Make sure you follow security updates and keep your infrastructure up to date to protect your data and that of your users.
Leave a Reply
You must be logged in to post a comment.