The Apache HTTP server is one of the most widely used web servers in the world. However, like all software, it is not immune to vulnerabilities. And beware: it's a double vulnerability.
On July 4, a critical security flaw was discovered, affecting Apache version 2.4.60. This flaw is rated CVE-2024-39884.
The flaw allows the source code of PHP files to be disclosed. This is absolutely critical, as these files may contain, for example, database passwords or confidential proprietary code.
A patch was therefore released via version 2.4.61 of the Apache server... Except that this patch did not correctly correct the flaw! A second CVE was therefore released, CVE-2024-40725, to re-identify this ultimately uncorrected flaw.
Here's a summary of these flaws and the corrections made.
Update 07/30/2024: There is a possibility that this vulnerability is related to a wave of hacks targeting sites hosted by o2switch. Nothing has been established with certainty, as the means of exploiting these flaws and the scale of the problem are not yet public. Nor do I have any information from my hosting partner on the Apache versions used.
CVE-2024-39884
- Publication date : July 4, 2024
- Description : A regression in the kernel of Apache HTTP Server version 2.4.60 means that certain configurations based on content type, such as "AddType", are not correctly taken into account. In some cases, this can lead to the disclosure of the source code of local files, such as PHP scripts, which may be displayed as plain text instead of being interpreted.
- Solution: We recommend upgrading to version 2.4.61, which fixes this problem.
- Link : CVE-2024-39884
CVE-2024-40725
- Publication date : July 17, 2024
- Description : This flaw is an additional correction to CVE-2024-39884. It reveals that version 2.4.61 does not completely correct the initial problem. Indeed, certain configurations based on content type may still result in the disclosure of local file source code in certain circumstances.
- Solution: We recommend upgrading to version 2.4.62, which permanently fixes this problem.
- Link : CVE-2024-40725
Debian Patch Roadmap
Debian, the mother Linux distribution used by LRob, has also taken steps to correct these vulnerabilities in its various versions, either through the "security" repository or natively, depending on the OS version. Here's the roadmap for corrections:
| Source Package | Release | Version | Status |
|---|---|---|---|
| apache2 (PTS) | bullseye | 2.4.59-1~deb11u1 | vulnerable |
| bullseye (security) | 2.4.61-1~deb11u1 | corrected | |
| bookworm | 2.4.59-1~deb12u1 | vulnerable | |
| bookworm (security) | 2.4.61-1~deb12u1 | corrected | |
| sid, trixie | 2.4.62-1 | corrected |
- Link : Debian patch roadmap
LRob server status
All LRob servers are already up to date and correct this flaw.
Conclusion
Administrators of Apache HTTP servers should immediately check the version of their server and upgrade to the corrected versions (2.4.61-1[security] or 2.4.62) to avoid any inadvertent disclosure of source code.
The open-source community continues to monitor and rapidly correct vulnerabilities to ensure the security and reliability of software used by millions of servers worldwide. Make sure you follow security updates and keep your infrastructure up to date to protect your data and that of your users.
Leave a Reply