Apache HTTP Server

2024: FSTEC warned of vulnerability'killing' websites

On April 8, FSTEC sent a warning about a vulnerability BDU:2024-02653^[1] in the implementation of the HTTP/2 protocol in the Apache HTTP Server web server, which allows using a special sequence of packages to disable the web server, that is, to perform a DoS attack on a vulnerable server and make it inaccessible. However, according to the American Information Security Incident Response Center (CERT CC) of the same vulnerability^[2], quite a few implementations of HTTP/2 servers are subject to: Apache Tomcat, Apache Traffic Server, Envoy proxy, Golang, h2 Rust crate, nghttp2, amphp/http, Node.js and Tempesta.

The vulnerability is actually architectural. The fact is that the HTTP/2 protocol allows you to divide a request to the server into several frames (the so-called CONTINUATION frames), the latter of which must contain the END_HEADERS flag. This allows an attacker to make an infinite set of frames without a final flag, which must be processed by the server. In the end, the server's resources for their processing will be exhausted, and the server will fail. The attack was named CONTINUATION Flood. It does not require a large data stream to disable the server, so it is not necessary to use distributed system resources for DDoS attacks.

The vulnerability was discovered by researcher Bartek Novotarski, who reported it to CERT CC on January 25. Only in early April, this vulnerability was officially exposed, and some manufacturers of their web servers promptly released patches for it. And if foreign developers had enough time to develop and test it - CERT usually contacts the manufacturers of the corresponding products when obtaining information about the vulnerability, then the Russians most likely did not have such an opportunity.

Netlas.io

The Apache project, in particular, promptly released^[3] fixes] for this error: version 2.4.59 should withstand such an attack. Other manufacturers are also likely to fix such a vulnerability in the near future. If there are no fixes, then FSTEC recommends using intrusion detection and prevention systems that allow you to interrupt the implementation of the CONTINUATION Flood attack (this functionality should be in WAF products), as well as limit the use of the HTTP/2 protocol, that is, temporarily, until the vulnerability is fixed, switch to an older version of HTTP/1.1. However, it is highly likely that the servers with a web interface built into any hardware devices will not be able to be quickly updated or reconfigured, which could lead to their failure.

2023: Apache HTTP Server 2.4.55

On January 20, 2023, it became known that the release was published HTTP-servers Apache 2.4.55, which presented 18 changes and eliminated 3: vulnerabilities

• CVE-2022-37436: An attack to separate HTTP responses in the mod_proxy. The backend controlled by the attacker can truncate the HTTP headers of the response so that the following headers will be in the body of the response (for example, in this way, you can discard the headers associated with security).
• CVE-2022-36760: The mod_proxy_ajp module is susceptible to attacks by the HTTP Request Smuggling class on front-end backend systems, which allow you to wedge into the content of requests from other users processed in the same stream between the front-end and back-end.
• CVE-2006-20001: the ability to write one zero byte to an area outside the buffer boundaries, which is manifested during processing mod_dav a specially designed If: header.

The most notable non-security changes are:

• mod_proxy_http2 is translated into a common mechanism with other proxy modules for processing the type of content of responses coming from backends.
• The mod_proxy_hcheck takes into account the timeout value set for workflows.
• The mod_http2 partially rewritten the code for processing connections and flows. To track the main connection and process I/O for requests and responses, the pollset function from APR (Apache Portable Runtime) is used. The initial and final spaces and tabs in the answer and query header values are removed.
• In mod_proxy_hcheck, hcmethod allows HTTP/1.1 queries using the GET11, HEAD11, and OPTIONS11 methods. Correct verification of AJP/CPING support is provided.
• The mod_authn_core adds support for expressions in AuthName and AuthType.
• The MDStoreLocks directive has been added to the mod_md to block shared storage to ensure that updated certificates are correctly activated while restarting several cluster nodes.
• The mod_heartmonitor allows you to specify the "HeartbeatMaxServers 0" directive to use file storage instead of slotmem.
• The DAVlockDiscovery option has been added to the mod_dav to disable the definition of WebDAV locks^[4].

2012: Apache HTTP Server 2.4

This is the first major update (2012) since 2005, when version 2.2 was released. New features of Apache improve the server's ability to operate in high traffic environments.

Apache is the most popular web server: according to Netcraft, it is used for almost 400 million sites, or 65% of the total. The second place is taken by Microsoft IIS, 14.5%. But perhaps Apache's main competitor is nginx: its share is less than 10%, but over the past month it has received 12,000 new sites, while Apache has lost 18,000.

Many new features of Apache 2.4 repeat similar ones, thanks to which nginx has become popular. The new Apache serves more simultaneous connections and uses less memory. The reverse proxy module allows a single external IP address to be used for multiple servers with frequently changing internal addresses. Timeouts can be set up to milliseconds, resource constraints are also monitored in more detail. Improved caching mechanism for high traffic volumes.

Notes