CVE-2021-40438

Support for security such as Firewalls and securing linux
jeffshao
Posts: 2
Joined: 2021/10/18 18:59:03

CVE-2021-40438

Post by jeffshao » 2021/10/18 19:03:15

I have httpd-2.4.6-97.el7.centos.x86_64 dated 11-08-2020, I think I am affected, but not sure if there is any update. Is there an updated package coming up? I checked https://centos.pkgs.org/7/centos-updates-x86_64/, but don't see an update yet.

Thanks!

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: CVE-2021-40438

Post by jlehtone » 2021/10/19 10:40:24

Red Hat has released a fix for RHEL 7 in 2021-10-14:
https://access.redhat.com/security/cve/cve-2021-40438
https://access.redhat.com/errata/RHSA-2021:3856
The version on those packages is 2.4.6-97.el7_9.1

It indeed seems that CentOS build of the packages is not ready yet.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2021-40438

Post by TrevorH » 2021/10/19 11:44:51

I asked and that package is set to be built today.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

psingleton
Posts: 8
Joined: 2021/10/20 05:41:58

Re: CVE-2021-40438

Post by psingleton » 2021/10/20 05:43:46

hmm we are stil not seeing the fixes released for this, 5 days now we are blocked from using centos in production images.

jeffshao
Posts: 2
Joined: 2021/10/18 18:59:03

Re: CVE-2021-40438

Post by jeffshao » 2021/10/20 13:16:28

hi Trevor,

I haven't seen the repo site: http://mirror.centos.org/centos/7/updat ... s/?C=M;O=D, nor the httpd description https://centos.pkgs.org/7/centos-update ... 4.rpm.html, changed. When do you expect the build to complete?

Thanks,

Jeff

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2021-40438

Post by TrevorH » 2021/10/20 16:34:13

The relevant updates were pushed to the mirrors about 2 hours ago. If you run `yum clean all` then `yum update` you should be seeing them if your selected mirror is up to date. Running that again will most likely pick a different mirror if you get one that doesn't yet have the updates.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

psingleton
Posts: 8
Joined: 2021/10/20 05:41:58

Re: CVE-2021-40438

Post by psingleton » 2021/10/20 18:43:51

After yum clean all, yum update, yum install httpd we are still not getting a clean build, any ideas?

+------------+-----------------------+----------------+-----------------------+-------------------------------------------------+
scanner_1 | | STATUS | CVE SEVERITY | PACKAGE NAME | PACKAGE VERSION | CVE DESCRIPTION |
scanner_1 | +------------+-----------------------+----------------+-----------------------+-------------------------------------------------+
scanner_1 | | Unapproved | High RHSA-2021:3856 | httpd-tools | 2.4.6-97.el7.centos.1 | The httpd packages provide the Apache HTTP |
scanner_1 | | | | | | Server, a powerful, efficient, and extensible |
scanner_1 | | | | | | web server. Security Fix(es): * httpd: |
scanner_1 | | | | | | mod_proxy: SSRF via a crafted request uri-path |
scanner_1 | | | | | | containing "unix:" (CVE-2021-40438) For more |
scanner_1 | | | | | | details about the security issue(s), including |
scanner_1 | | | | | | the impact, a CVSS score, acknowledgments, |
scanner_1 | | | | | | and other related information, refer to the |
scanner_1 | | | | | | CVE page(s) listed in the References section. |
scanner_1 | | | | | | https://access.redhat.com/errata/RHSA-2021:3856 |
scanner_1 | +------------+-----------------------+----------------+-----------------------+-------------------------------------------------+
scanner_1 | | Unapproved | High RHSA-2021:3856 | httpd | 2.4.6-97.el7.centos.1 | The httpd packages provide the Apache HTTP |
scanner_1 | | | | | | Server, a powerful, efficient, and extensible |
scanner_1 | | | | | | web server. Security Fix(es): * httpd: |
scanner_1 | | | | | | mod_proxy: SSRF via a crafted request uri-path |
scanner_1 | | | | | | containing "unix:" (CVE-2021-40438) For more |
scanner_1 | | | | | | details about the security issue(s), including |
scanner_1 | | | | | | the impact, a CVSS score, acknowledgments, |
scanner_1 | | | | | | and other related information, refer to the |
scanner_1 | | | | | | CVE page(s) listed in the References section. |
scanner_1 | | | | | | https://access.redhat.com/errata/RHSA-2021:3856 |

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2021-40438

Post by TrevorH » 2021/10/21 02:28:00

2.4.6-97.el7.centos.1 is the fixed version.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

psingleton
Posts: 8
Joined: 2021/10/20 05:41:58

Re: CVE-2021-40438

Post by psingleton » 2021/10/21 05:46:22

as you can see thats whats being deployed, but still failing on security.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: CVE-2021-40438

Post by jlehtone » 2021/10/21 07:56:23

The 2.4.6-97.el7.centos.1 changelog claims:

Code: Select all

* Thu Oct 07 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.6-97.1
- Resolves: #2011729 - CVE-2021-40438 httpd: mod_proxy: SSRF via a crafted
  request uri-path containing "unix:"
That gives two suspects:
  • The patch does not resolve the issue completely in RHEL 7. You should submit bug report to Red Hat's bugzilla.
  • The "scanner_1" produces false positive. You should submit bug report to developer's of the scanner tool.

Post Reply