The Dolpins Archive

Net Bug Bounty: Large severity vulnerability in Apache HTTP Server could guide to RCE

Buffer overflow flaw really should be patched promptly

A buffer overflow vulnerability in Apache HTTP Server could enable attackers to conduct distant code execution assaults.

The vulnerability (CVE-2021-44790) can be exploited by means of a cautiously crafted ask for system that can result in a buffer overflow in the multipart parser (identified as from Lua scripts).

It was identified by a researcher with the take care of ‘chamal’, who learned that the substantial severity stability flaw was current in Apache HTTP Server versions 2.4.51 and before.

The researcher reported the vulnerability to the open up resource project’s maintainers at the Apache Software Foundation, who have considering that set the concern.

Relevant ‘Being critical about security is a must’ – Apache Application Basis custodians on satisfying its founding mission

It was also described to the Web Bug Bounty (IBB), a partnership involving tech companies including HackerOne, Elastic, Facebook, Figma, GitHub, Shopify, and TikTok.

IBB benefits researchers for getting problems in ubiquitous open up source application projects on the basis of an 80/20 split involving the bug hunter and the relevant job.

In this case, the maximum severity payout ($2,500) was awarded, with $2,000 allotted to chamal and $500 to the Apache Foundation.

Collaborative safety

Kayla Underkoffler, senior safety technologist at HackerOne, told The Day-to-day Swig that the IBB “fosters a collaborative, community-based mostly tactic to open up source protection by incentivizing stability researchers to report vulnerabilities”.

Underkoffler discussed: “As open source is a critical ingredient of just about every business tech stack, corporations have an obligation to add back to the protection efforts of these initiatives.

See also  Carrier-grade NAT is harming internet innovation • The Register

Read through a lot more of the most recent bug bounty information

“The IBB helps organizations supply a portion of that help by means of the 20% contribution back to the venture.”

She additional: “The method enables companies to aid protected open source dependencies within just their program source chains by contributing a part of their already devoted bug bounty funds to the IBB.”

YOU May LIKE Researcher discovers 70 website cache poisoning vulnerabilities, nets $40k in bug bounty benefits

The bug bounty software supports some of the most normally used open supply web improvement systems, together with cURL, Django, Electron, Node.js, Ruby, and Apache.

Underkoffler reported: “The pooled resources for the bounty benefits dictates how significantly will be awarded for vulnerabilities, the much more corporations that contribute to securing shared open up resource, the bigger the chances for bounty rewards.”

She described the disclosure process as “simple”, due to the fact the IBB is a ‘post-fix’ bounty plan, where by payouts are awarded only just after they have been remediated and publicly unveiled by the task.

Consumers are urged to update to the latest variation of Apache HTTP Server in purchase to safeguard from the vulnerability.

Really do not Skip Bug bounty platforms dealing with thousands of Log4j vulnerability studies