The issue is a Server Side Request Forgery (SSRF) vulnerability that can be exploited against httpd (The Apache HTTP Server) web servers with the mod_proxy module enabled. An attacker could exploit the vulnerability by sending a specially crafted request and causing the module to redirect the request to an arbitrary origin server.
The issue was discovered by the Apache HTTP Security Team while investigating another vulnerability. The vulnerability affects server versions 2.4.48 and earlier and was fixed in mid-September this year with the release of version 2.4.49.
“By sending a specially crafted request, attackers can force the enabled mod_proxy module to route connections to the originating server of their choice, thereby stealing secrets (metadata or infrastructure keys) or gaining access to other internal servers,” explained experts from Fastly.
According to experts, vulnerable versions of httpd have been launched on more than 500 thousand servers. Since cloud services such as AWS, Microsoft Azure, and Google Cloud Platform provide protection against cyber attacks, the vulnerability mainly affects organizations that independently manage httpd servers.
Rapid7 team is also monitoring the exploitation of the bug and they mentioned that team observed over 4 million potentially vulnerable instances of Apache httpd 2.x:
How to Prevent it (CVE-2021-40438)?
As the bug resides in version 2.4.48 which has been patched with the release of Apache version 2.4.49. But note that, Apache HTTP Server versions 2.4.49 and 2.4.50 included other severe vulnerabilities (read here about the vulnerabilities on 2.4.49 & 2.4.50) that are known to be exploited in the wild, so Apache httpd customers should upgrade to the latest version (2.4.51 at time of writing) instead of upgrading incrementally.
Several experimental PoC codes have surfaced on the web to exploit the vulnerability, and the German Federal Information Security Administration and Cisco have documented at least one attack exploiting the problem.