May 28, 2022


Your Partner in the Digital Era

Online Bug Bounty: Higher severity vulnerability in Apache HTTP Server could guide to RCE

Buffer overflow flaw really should be patched quickly

A buffer overflow vulnerability in Apache HTTP Server could enable attackers to carry out remote code execution attacks.

The vulnerability (CVE-2021-44790) can be exploited through a thoroughly crafted request entire body that can result in a buffer overflow in the multipart parser (named from Lua scripts).

It was observed by a researcher with the handle ‘chamal’, who uncovered that the substantial severity security flaw was current in Apache HTTP Server versions 2.4.51 and earlier.

The researcher reported the vulnerability to the open up supply project’s maintainers at the Apache Software Basis, who have due to the fact mounted the problem.

Related ‘Being significant about stability is a must’ – Apache Computer software Basis custodians on fulfilling its founding mission

It was also documented to the Online Bug Bounty (IBB), a partnership concerning tech corporations which include HackerOne, Elastic, Facebook, Figma, GitHub, Shopify, and TikTok.

IBB benefits scientists for finding troubles in ubiquitous open source software jobs on the foundation of an 80/20 split amongst the bug hunter and the suitable venture.

In this scenario, the maximum severity payout ($2,500) was awarded, with $2,000 allotted to chamal and $500 to the Apache Basis.

Collaborative protection

Kayla Underkoffler, senior protection technologist at HackerOne, told The Each day Swig that the IBB “fosters a collaborative, neighborhood-based strategy to open up resource security by incentivizing protection researchers to report vulnerabilities”.

Underkoffler discussed: “As open resource is a important component of each and every enterprise tech stack, companies have an obligation to lead back again to the protection attempts of people assignments.

Browse a lot more of the most current bug bounty information

“The IBB allows businesses supply a part of that aid through the 20% contribution back to the project.”

She extra: “The system enables businesses to support protected open up source dependencies in their software supply chains by contributing a part of their currently focused bug bounty money to the IBB.”

YOU Could LIKE Researcher discovers 70 website cache poisoning vulnerabilities, nets $40k in bug bounty benefits

The bug bounty method supports some of the most generally utilised open up supply world-wide-web development systems, including cURL, Django, Electron, Node.js, Ruby, and Apache.

Underkoffler claimed: “The pooled funds for the bounty rewards dictates how a great deal will be awarded for vulnerabilities, the additional companies that lead to securing shared open up supply, the better the opportunities for bounty rewards.”

She explained the disclosure procedure as “simple”, due to the fact the IBB is a ‘post-fix’ bounty program, wherever payouts are awarded only following they have been remediated and publicly released by the job.

Buyers are urged to update to the most up-to-date version of Apache HTTP Server in buy to shield from the vulnerability.

Don’t Miss Bug bounty platforms handling 1000’s of Log4j vulnerability studies