{
  "threat_severity" : "Important",
  "public_date" : "2021-09-16T00:00:00Z",
  "bugzilla" : {
    "description" : "httpd: mod_proxy: SSRF via a crafted request uri-path containing \"unix:\"",
    "id" : "2005117",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2005117"
  },
  "cvss3" : {
    "cvss3_base_score" : "9.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-918",
  "details" : [ "A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remote user. This issue affects Apache HTTP Server 2.4.48 and earlier.", "A Server-Side Request Forgery (SSRF) flaw was found in mod_proxy of httpd. This flaw allows a remote, unauthenticated attacker to make the httpd server forward requests to an arbitrary server. The attacker could get, modify, or delete resources on other services that may be behind a firewall and inaccessible otherwise. The impact of this flaw varies based on what services and resources are available on the httpd network." ],
  "statement" : "Impact of the flaw set to Important because the actions an attacker can do varies a lot based on the kind of infrastructure in place, the kind of internal services and resources, and the available endpoints on those services. The attacker should also perform some kind of target-specific reconnaissance in order to find out all the above information.\nThe version of httpd as shipped in Red Hat Enterprise Linux 7 is affected by this flaw even if the upstream code was not, because the Unix Domain Socket support required to trigger the flaw was backported.\nThe version of httpd as shipped in Red hat Enterprise Linux 6 is not affected by this flaw because there is no support for Unix Domain Socket.\nThe flaw can be triggered only if mod_proxy is in use (e.g. ProxyPass, ReverseProxy is used in the httpd configuration files).",
  "affected_release" : [ {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-10-07T00:00:00Z",
    "advisory" : "RHSA-2021:3746",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-httpd-0:2.4.37-76.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-10-07T00:00:00Z",
    "advisory" : "RHSA-2021:3746",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.16-7.Final_redhat_2.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-10-07T00:00:00Z",
    "advisory" : "RHSA-2021:3746",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_http2-0:1.15.7-19.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-10-07T00:00:00Z",
    "advisory" : "RHSA-2021:3746",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_jk-0:1.2.48-18.redhat_1.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-10-07T00:00:00Z",
    "advisory" : "RHSA-2021:3746",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_md-1:2.0.8-38.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services for RHEL 8",
    "release_date" : "2021-10-07T00:00:00Z",
    "advisory" : "RHSA-2021:3746",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el8",
    "package" : "jbcs-httpd24-mod_security-0:2.9.2-65.GA.el8jbcs"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2021-10-07T00:00:00Z",
    "advisory" : "RHSA-2021:3746",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-httpd-0:2.4.37-76.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2021-10-07T00:00:00Z",
    "advisory" : "RHSA-2021:3746",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_cluster-native-0:1.3.16-7.Final_redhat_2.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2021-10-07T00:00:00Z",
    "advisory" : "RHSA-2021:3746",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_http2-0:1.15.7-19.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2021-10-07T00:00:00Z",
    "advisory" : "RHSA-2021:3746",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_jk-0:1.2.48-18.redhat_1.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2021-10-07T00:00:00Z",
    "advisory" : "RHSA-2021:3746",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_md-1:2.0.8-38.jbcs.el7"
  }, {
    "product_name" : "JBoss Core Services on RHEL 7",
    "release_date" : "2021-10-07T00:00:00Z",
    "advisory" : "RHSA-2021:3746",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1::el7",
    "package" : "jbcs-httpd24-mod_security-0:2.9.2-65.GA.jbcs.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3856",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "httpd-0:2.4.6-97.el7_9.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.2 Advanced Update Support",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3856",
    "cpe" : "cpe:/o:redhat:rhel_aus:7.2",
    "package" : "httpd-0:2.4.6-40.el7_2.7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.3 Advanced Update Support",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3856",
    "cpe" : "cpe:/o:redhat:rhel_aus:7.3",
    "package" : "httpd-0:2.4.6-45.el7_3.6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.4 Advanced Update Support",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3856",
    "cpe" : "cpe:/o:redhat:rhel_aus:7.4",
    "package" : "httpd-0:2.4.6-67.el7_4.7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.6 Advanced Update Support(Disable again in 2026 - SPRHEL-7118)",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3856",
    "cpe" : "cpe:/o:redhat:rhel_aus:7.6",
    "package" : "httpd-0:2.4.6-89.el7_6.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.6 Telco Extended Update Support",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3856",
    "cpe" : "cpe:/o:redhat:rhel_tus:7.6",
    "package" : "httpd-0:2.4.6-89.el7_6.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3856",
    "cpe" : "cpe:/o:redhat:rhel_e4s:7.6",
    "package" : "httpd-0:2.4.6-89.el7_6.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.7 Advanced Update Support",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3856",
    "cpe" : "cpe:/o:redhat:rhel_aus:7.7",
    "package" : "httpd-0:2.4.6-90.el7_7.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.7 Telco Extended Update Support",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3856",
    "cpe" : "cpe:/o:redhat:rhel_tus:7.7",
    "package" : "httpd-0:2.4.6-90.el7_7.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions",
    "release_date" : "2021-10-14T00:00:00Z",
    "advisory" : "RHSA-2021:3856",
    "cpe" : "cpe:/o:redhat:rhel_e4s:7.7",
    "package" : "httpd-0:2.4.6-90.el7_7.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2021-10-12T00:00:00Z",
    "advisory" : "RHSA-2021:3816",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "httpd:2.4-8040020211008164252.522a0ee4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.1 Extended Update Support",
    "release_date" : "2021-10-13T00:00:00Z",
    "advisory" : "RHSA-2021:3837",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.1",
    "package" : "httpd:2.4-8010020211008125020.c27ad7f8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.2 Extended Update Support",
    "release_date" : "2021-10-13T00:00:00Z",
    "advisory" : "RHSA-2021:3836",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.2",
    "package" : "httpd:2.4-8020020211008164029.4cda2c84"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2021-10-11T00:00:00Z",
    "advisory" : "RHSA-2021:3754",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "httpd24-httpd-0:2.4.34-22.el7.1"
  }, {
    "product_name" : "Text-Only JBCS",
    "release_date" : "2021-10-07T00:00:00Z",
    "advisory" : "RHSA-2021:3745",
    "cpe" : "cpe:/a:redhat:jboss_core_services:1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Not affected",
    "package_name" : "httpd",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-40438\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-40438\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog" ],
  "name" : "CVE-2021-40438",
  "mitigation" : {
    "value" : "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.",
    "lang" : "en:us"
  },
  "csaw" : false
}