A buffer overflow vulnerability in Apache HTTP Server could allow attackers to perform remote code execution attacks.
The vulnerability (CVE-2021-44790) can be exploited via a carefully crafted request body that can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts).
It was found by a researcher with the handle ‘chamal’, who discovered that the high severity security flaw was present in Apache HTTP Server versions 2.4.51 and earlier.
The researcher reported the vulnerability to the open source project’s maintainers at the Apache Software Foundation, who have since fixed the issue.
It was also reported to the Internet Bug Bounty (IBB), a partnership between tech organizations including HackerOne, Elastic, Facebook, Figma, GitHub, Shopify, and TikTok.
IBB rewards researchers for discovering issues in ubiquitous open source software projects on the basis of an 80/20 split between the bug hunter and the relevant project.
In this case, the highest severity payout ($2,500) was awarded, with $2,000 allocated to chamal and $500 to the Apache Foundation.
Collaborative security
Kayla Underkoffler, senior security technologist at HackerOne, told The Daily Swig that the IBB “fosters a collaborative, community-based approach to open source security by incentivizing security researchers to report vulnerabilities”.
Underkoffler explained: “As open source is a critical component of every enterprise tech stack, organizations have an obligation to contribute back to the security efforts of those projects.
“The IBB helps organizations provide a portion of that support through the 20% contribution back to the project.”
She added: “The program enables organizations to help secure open source dependencies within their software supply chains by contributing a portion of their already dedicated bug bounty funds to the IBB.”
The bug bounty program supports some of the most commonly used open source web development technologies, including cURL, Django, Electron, Node.js, Ruby, and Apache.
Underkoffler said: “The pooled funds for the bounty rewards dictates how much will be awarded for vulnerabilities, the more organizations that contribute to securing shared open source, the higher the opportunities for bounty rewards.”
She described the disclosure process as “simple”, since the IBB is a ‘post-fix’ bounty program, where payouts are awarded only after they have been remediated and publicly released by the project.
Users are urged to update to the latest version of Apache HTTP Server in order to protect against the vulnerability.
Source: https://portswigger.net/daily-swig/internet-bug-bounty-high-severity-vulnerability-in-apache-http-server-could-lead-to-rce