Security Advisories for the week ending October 8, 2021
- Mozilla Releases Security Updates for Firefox and Firefox ESR
- Apache Releases Security Update for Apache HTTP Server
_______________________________
Mozilla Releases Security Updates for Firefox and Firefox ESR
Situation
Mozilla has released security updates to address vulnerabilities in Firefox and Firefox ESR.
Problem
The security issues addressed in Firefox 93 include: Bug 1725335, Bug 1726621, Bug 1729642, and Bug 1729813.
The issues addressed in Firefox ESR 78.15 include: Bug 1725335, wherein during operations on MessageTasks, a task may have been removed while it was still scheduled, resulting in memory corruption and a potentially exploitable crash.
And the issues addressed in Firefox ESR 91.2 include: Bug 1725335, Bug 1726621, Bug 1729642, and Bug 1729813
Implication
An attacker could exploit some of these vulnerabilities to take control of an affected system.
Need
CISA encourages users and administrators to review the Mozilla security advisories for Firefox 93, Firefox ESR 78.15, and Firefox ESR 91.2.
For a brief overview:
For a more technical overview:
https://www.mozilla.org/en-US/security/advisories/mfsa2021-43/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-44/
https://www.mozilla.org/en-US/security/advisories/mfsa2021-45/
________________________________
Apache Releases Security Update for Apache HTTP Server
Situation
The Apache Software Foundation has released Apache HTTP Server version 2.4.50 to address two vulnerabilities.
Problem
The first vulnerability addressed is (CVE-2021-41524): While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.
The second vulnerability address is (CVE-2021-41773): A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild
Implication
An attacker could exploit these vulnerabilities to take control of an affected system.
Need
The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apache HTTP Server 2.4.50 vulnerabilities page and apply the necessary update.
For a brief overview:
For a more technical overview: