CVE-2021-40438 and centos-sclo-rh/x86_64

Support for security such as Firewalls and securing linux
Post Reply
everdes-netlabs
Posts: 2
Joined: 2021/10/22 20:41:11

CVE-2021-40438 and centos-sclo-rh/x86_64

Post by everdes-netlabs » 2021/10/22 21:10:02

Hi,

I've been reported about CVE-2021-40438 vulnerability in one of my servers. We have centos-sclo-rh/x86_64 on the server, and the package httpd24-httpd.x86_64 2.4.34-22.el7 @centos-sclo-rh
installed.
The Red Hat advisory says the CVE is fixed in this version of httpd package, but the security team was able to exploit the vulnerability.
Is the vulnerability really fixed or another update should be issued?

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: CVE-2021-40438 and centos-sclo-rh/x86_64

Post by jlehtone » 2021/10/23 21:04:03

Your security team should report that to Red Hat.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: CVE-2021-40438 and centos-sclo-rh/x86_64

Post by TrevorH » 2021/10/23 23:59:08

On RHEL 7, the httpd24-httpd.x86_64 is at version 2.4.34-22.el7.1 which is a whole .1 newer than the one on CentOS. And after much mucking around I finally managed to query the changelog without actually being forced to install the package and the top entry is:

* Thu Sep 30 2021 Luboš Uhliarik <luhliari@redhat.com> - 2.4.34-22.1
- Resolves: #2007237 - CVE-2021-40438 httpd24-httpd: httpd: mod_proxy: SSRF via
a crafted request uri-path

I also enabled the centos-sclo-sclo-testing repo to check if it had been built but not yet promoted but it's not there either.

I'd suggest looking up on the CentOS wiki when the next SCL SIG meeting is due to take place and join #centos-meeting (or meeting2, not sure which) on Libera.chat IRC and asking there.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

everdes-netlabs
Posts: 2
Joined: 2021/10/22 20:41:11

Re: CVE-2021-40438 and centos-sclo-rh/x86_64

Post by everdes-netlabs » 2021/10/25 18:32:28

Hi, Trevor,

thanks for the answer. That was what I needed.

Best Regards,

Enrique.

Post Reply