The popular web server Apache have recently patched five security vulnerabilities on its application and released its patched version. The vulnerabilities that were patched includes buffer overflow and several denial-of-services. The patched version of the software has been landed in the developer release v2.4.10-dev.
One of the vulnerability buffer overflow have been rated moderate by the Apache Software Foundation, but that flaw can be used for the remote code execution under the required environment or scenario.
The vulnerabilities exist in the mod_status of the software, and Apache team have fixed the flaw by updating the mod_status. The attacker can successfully exploit the vulnerability without authentication also.
Researcher Marek Kroemeke, from HP Zeroday Initiative have reported the vulnerability to Apache team says-
“The specific flaw exists within the updating of mod_status. A race condition in mod_status allows an attacker to disclose information or corrupt memory with several requests to endpoints with handler server-status and other endpoints. By abusing this flaw, an attacker can possibly disclose credentials or leverage this situation to achieve remote code execution,”
Along with this buffer overflow vulnerability Apache team have also fixed the DOS vulnerability which are considered as moderate risk and other flaw are low risk.
Apache team says that, attacker need the right condition to exploit the vulnerability. And if attacker successfully exploit this vulnerability then, it able to access the public server status page on a server.