IBM3D55A48846F1F0B47B953543BA99A7A4FBF1CA77F4CE17B39C0FB856F8E3237C

HistoryMar 02, 2022 - 2:54 p.m.

Security Bulletin: IBM Rational Build Forge is affected by Apache HTTP Server version used in it. (CVE-2021-44790)

2022-03-0214:54:05

www.ibm.com

0.088 Low

EPSS

Percentile

94.6%

JSON

Summary

IBM Rational Build Forge version 8.0 - 8.0.0.20 is affected by CVE-2021-44790

Vulnerability Details

CVEID:CVE-2021-44790
**DESCRIPTION:**Apache HTTP Server is vulnerable to a buffer overflow, caused by improper bounds checking in the mod_lua multipart parser called from Lua scripts). By sending a specially crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/215686 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
Build Forge	8.0 - 8.0.0.20

Remediation/Fixes

You must download the fix pack specified in the following table and apply it.

Affected Supporting Product(s)

Remediation/Fix

—|—

IBM Rational Build Forge 8.0 to 8.0.0.20

Download IBM Rational Build Forge 8.0.0.21.

The fix includes Apache-HTTP-Server-2.4.52

Workarounds and Mitigations

None

CPENameOperatorVersion
rational build forge familyeq8.0.0.21

CPE	Name	Operator	Version
	rational build forge family	eq	8.0.0.21

photon

Critical Photon OS Security Update - PHSA-2022-0142

2022-01-12 00:00:00

Critical Photon OS Security Update - PHSA-2022-4.0-0142

2022-01-04 00:00:00

Critical Photon OS Security Update - PHSA-2021-0458

2021-12-25 00:00:00

nessus

AlmaLinux 8 : httpd:2.4 (ALSA-2022:0258)

2022-03-11 00:00:00

EulerOS 2.0 SP5 : httpd (EulerOS-SA-2022-1326)

2022-03-21 00:00:00

EulerOS Virtualization 3.0.2.0 : httpd (EulerOS-SA-2022-1671)

2022-05-07 00:00:00

cbl_mariner

CVE-2021-44790 affecting package httpd for versions less than 2.4.52-1

2022-04-09 06:51:57

CVE-2021-44790 affecting package httpd 2.4.51-1

2022-01-10 03:59:19

hackerone

Internet Bug Bounty: Buffer overflow in req_parsebody method in lua_request.c

2021-12-22 13:20:52

cve

CVE-2021-44790

2021-12-20 12:15:07

nvd

CVE-2021-44790

2021-12-20 12:15:07

K53280389 : Apache HTTP server vulnerability CVE-2021-44790

2021-12-29 00:00:00

rocky

httpd:2.4 security update

2022-01-25 12:49:42

openvas

Apache HTTP Server <= 2.4.51 Buffer Overflow Vulnerability - Windows

2021-12-21 00:00:00

Huawei EulerOS: Security Advisory for httpd (EulerOS-SA-2022-1671)

2022-05-09 00:00:00

Huawei EulerOS: Security Advisory for httpd (EulerOS-SA-2022-1326)

2022-03-21 00:00:00

osv

Important: httpd:2.4 security update

2022-01-25 12:49:42

Important: httpd:2.4 security update

2022-01-25 12:49:42

BIT-apache-2021-44790

2024-03-06 10:54:08

debiancve

CVE-2021-44790

2021-12-20 12:15:07

oraclelinux

httpd:2.4 security update

2022-01-25 00:00:00

httpd security update

2022-01-18 00:00:00

redhat

(RHSA-2022:0288) Important: httpd:2.4 security update

2022-01-26 14:23:05

(RHSA-2022:0303) Important: httpd24-httpd security update

2022-01-27 09:07:18

(RHSA-2022:0258) Important: httpd:2.4 security update

2022-01-25 12:49:42

veracode

Buffer Overflow

2021-12-21 09:34:13

cvelist

CVE-2021-44790 Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier

2021-12-20 00:00:00

zdt

Apache 2.4.x - Buffer Overflow Exploit

2023-04-02 00:00:00

packetstorm

Apache 2.4.x Buffer Overflow

2023-04-03 00:00:00

almalinux

Important: httpd:2.4 security update

2022-01-25 12:49:42

githubexploit

Exploit for Out-of-bounds Write in Apache Http Server

2023-12-05 05:54:47

prion

Buffer overflow

2021-12-20 12:15:00

alpinelinux

CVE-2021-44790

2021-12-20 12:15:07

ubuntucve

CVE-2021-44790

2021-12-20 00:00:00

cnvd

Apache HTTP Server Buffer Overflow Vulnerability (CNVD-2021-102386)

2021-12-24 00:00:00

httpd

Apache Httpd < 2.4.52 : Possible buffer overflow when parsing multipart content in mod_lua of Apache HTTP Server 2.4.51 and earlier

2021-12-20 00:00:00

redhatcve

CVE-2021-44790

2021-12-21 17:04:26

ibm

Security Bulletin: Multiple Vulnerabilities have been identified in WebSphere Application Server shipped with WebSphere Remote Server

2022-03-04 19:21:02

Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Netcool Configuration Manager (CVE-2021-44790, CVE-2021-44224)

2022-04-01 12:23:48

Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server

2022-01-12 19:17:07

exploitdb

Apache 2.4.x - Buffer Overflow

2023-04-01 00:00:00

slackware

[slackware-security] httpd

2021-12-20 20:00:56

debian

[SECURITY] [DLA 2907-1] apache2 security update

2022-02-01 21:18:26

[SECURITY] [DSA 5035-1] apache2 security update

2022-01-04 16:38:55

ubuntu

Apache HTTP Server vulnerabilities

2022-01-10 00:00:00

Apache HTTP Server vulnerabilities

2022-01-06 00:00:00

redos

ROS-20211223-04

2021-12-23 00:00:00

cisa

Apache Releases Security Update for HTTP Server

2021-12-22 00:00:00

mageia

Updated apache packages fix security vulnerabilities

2021-12-22 02:27:37

amazon

Important: httpd

2022-01-18 21:37:00

Important: httpd24

2022-01-18 20:14:00

fortinet

Multiple Apache Vulnerabilities fixed in 2.4.52

2021-12-28 00:00:00

altlinux

Security fix for the ALT Linux 9 package apache2 version 1:2.4.52-alt1

2022-02-04 00:00:00

Security fix for the ALT Linux 10 package apache2 version 1:2.4.52-alt1

2021-12-27 00:00:00

kaspersky

KLA12400 Multiple vulnerabilities in Apache HTTP Server

2021-12-20 00:00:00

fedora

[SECURITY] Fedora 35 Update: httpd-2.4.52-1.fc35

2021-12-24 01:26:46

[SECURITY] Fedora 34 Update: httpd-2.4.53-1.fc34

2022-03-25 22:06:50

[SECURITY] Fedora 36 Update: httpd-2.4.53-1.fc36

2022-03-26 15:55:33

freebsd

Apache httpd -- Multiple vulnerabilities

2021-12-20 00:00:00

threatpost

Critical Apache HTTPD Server Bugs Could Lead to RCE, DoS

2021-12-22 17:59:55

suse

Security update for apache2 (important)

2022-03-28 00:00:00

centos

httpd, mod_ldap, mod_proxy_html, mod_session, mod_ssl security update

2022-01-25 17:31:14

thn

CISA, FBI and NSA Publish Joint Advisory and Scanner for Log4j Vulnerabilities

2021-12-23 12:09:00

rosalinux

Advisory ROSA-SA-2023-2158

2023-04-25 11:30:17

Advisory ROSA-SA-2023-2160

2023-04-25 12:02:31

ics

Mitsubishi Electric MELSOFT iQ AppPortal

2022-05-12 12:00:00

gentoo

Apache HTTPD: Multiple Vulnerabilities

2022-08-14 00:00:00

apple

About the security content of Security Update 2022-004 Catalina

2022-05-16 00:00:00

About the security content of macOS Big Sur 11.6.6

2022-05-16 00:00:00

About the security content of macOS Monterey 12.4

2022-05-16 00:00:00

oracle

Oracle Critical Patch Update Advisory - October 2022

2022-10-18 00:00:00

Oracle Critical Patch Update Advisory - January 2022

2022-01-18 00:00:00

Oracle Critical Patch Update Advisory - April 2022

2022-04-19 00:00:00

Security Bulletin: IBM Rational Build Forge is affected by Apache HTTP Server version used in it. (CVE-2021-44790)

Summary

Vulnerability Details

Affected Products and Versions

Remediation/Fixes

Workarounds and Mitigations

Related