Apache HTTP Server mod_proxy SSRF (CVE-2021-40438)
Description
A Server-Side Request Forgery (SSRF) vulnerability exists in Apache HTTP Server versions 2.4.48 and earlier when using the mod_proxy module. The vulnerability allows remote unauthenticated attackers to manipulate the request URI path, causing the server to make requests to arbitrary internal or external resources. This occurs due to improper validation of user-supplied input in the URI path, enabling attackers to bypass network access controls and interact with services that should not be publicly accessible.
Remediation
Apply the following remediation steps immediately to address this vulnerability:
1. Upgrade Apache HTTP Server:
Update to Apache HTTP Server version 2.4.49 or later, which contains the security fix for CVE-2021-40438. Download the latest version from the official Apache HTTP Server project website.
2. Verify mod_proxy Configuration:
If immediate patching is not possible, review and restrict mod_proxy usage. Ensure that proxy directives are properly configured with strict allow/deny rules:
ProxyRequests Off
<Proxy *>
Order deny,allow
Deny from all
</Proxy>3. Implement Network Segmentation:
Limit the server's ability to make outbound connections to internal networks. Use firewall rules to restrict which internal resources the web server can access.
4. Validate and Test:
After upgrading, verify the Apache version using
httpd -v or apache2 -v and test your proxy configurations to ensure they function correctly while blocking unauthorized requests.5. Monitor for Exploitation:
Review access logs for suspicious proxy requests or unusual outbound connection patterns that may indicate exploitation attempts or successful attacks.