CVE-2024-38477: Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request
Published Jul 1, 2024
·Updated
Apache. This is a vulnerability in open source code and Apple Software among the affected projects. The CVE-ID was assigned by a third party. Learn more about the issue and CVE-ID at cve.org.
Credit
CVE-2024-39573, CVE-2024-38477, CVE-2024-38476, an anonymous researcher, Ivan Fratric(Google Project Zero), Mickey Jin@@patch1t, K宝@@Pwnrin, Kirin@@Pwnrin, 7feilee, pattern-f@@pattern_F_(Loadshine Lab), Hikerell(Loadshine Lab), Hossein Lotfi@@hosselot(Trend Micro Zero Day Initiative), Alexandre Bedard, Ronny Stiftel, Wang Yu(Cyberserval), Junsung Lee(Trend Micro Zero Day Initiative), Jex Amro, Zhongquan Li@@Guluisacat, Ye Zhang@@VAR10CK(Baidu Security), Mateusz Krzywicki@@krzywix, Garrett Moon(Excited Pixel LLC), Arsenii Kostromin (0x3c3e), Ben Roeder, Toomas Römer, Jaime Bertran, Noah Gregory (wts.dev), Un3xploitable(CW Research Inc), Bohdan Stasiuk@@Bohdan_Stasiuk(CW Research Inc), Pedro Tôrres@@t0rr3sp3dr0, Mickey Jin@@patch1t(Kandji), Csaba Fitzl@@theevilbit(Kandji), an anonymous researcher(Dawn Security Lab of JD), Yinyi Wu@@_3ndy1(Dawn Security Lab of JD), Narendra Bhati(Cyber Security at Suma Soft Pvt), Manager(Cyber Security at Suma Soft Pvt), Pune (India), Lucas Di Tomase, Ryan Dowd@@_rdowd, Gergely Kalman@@gergely_kalman, Csaba Fitzl@@theevilbit, Michael DePlante@@izobashi(Trend Micro Zero Day Initiative), Halle Winkler, Politepix (theoffcuts.org), Bing Shi(Alibaba Group), Wenchao Li(Alibaba Group), Xiaolong Bai(Alibaba Group), (Indiana University Bloomington), Luyi Xing(Indiana University Bloomington), dw0r!(Trend Micro Zero Day Initiative), Rodolphe Brunetti@@eisw0lf, Cristian Dinca (icmd.tech), Wojciech Regula(SecuRing), Q1IQ@@q1iqF, P1umer@@p1umer, Bohdan Stasiuk@@Bohdan_Stasiuk
Affected Software
13 affected componentsFixes available
debian/apache2
2.4.62-1~deb11u12.4.61-1~deb11u12.4.62-1~deb12u12.4.62-1~deb12u22.4.62-3
Apache HTTP Server>=2.4.0<2.4.60
NetApp Clustered Data ONTAP=9.0
IBM R10.0<=10.1.3.0
10.0.245.0
IBM R9.4<=89.42.18.0
89.41.25.0
89.40.83.0
IBM R9.3<=89.33.52.0
89.33.45.0
Apple macOS Sequoia<15.1
15.1
F5 BIG-IP>=17.1.0<=17.1.2
17.5.017.1.2.2
F5 BIG-IP>=16.1.0<=16.1.5
16.1.6
F5 BIG-IP>=15.1.0<=15.1.10
15.1.10.8
F5 F5OS-A=1.7.0, >=1.5.1<=1.5.2
1.8.01.5.3
F5 F5OS-C>=1.6.0<=1.6.2
1.8.0
F5 Traffix SDC=5.2.0
Remediation
Patch Available
Event History
Jul 1, 2024
CVE Published
via MITRE·06:16 PM
Data Sourced
via MITRE·06:16 PM
DescriptionWeakness
Data Sourced
via NVD·07:15 PM
DescriptionSeverityWeaknessAffected Software
Data Sourced
via Red Hat·07:22 PM
DescriptionSeverityAffected Software
Aug 23, 2024
Advisory Published
via F5·05:11 PM
Data Sourced
via F5·05:11 PM
DescriptionSeverityWeaknessAffected Software
Sep 18, 2024
Data Sourced
via Ubuntu·06:40 PM
RemedyDescriptionSeverityAffected Software
Oct 28, 2024
Data Sourced
via Apple·12:00 AM
DescriptionWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2024-38477?
CVE-2024-38477 is classified as a high-severity vulnerability due to its potential to cause denial of service.
2
How do I fix CVE-2024-38477?
To fix CVE-2024-38477, update your Apache HTTP Server to a patched version that is above 2.4.62.
3
What systems are affected by CVE-2024-38477?
CVE-2024-38477 affects various systems running vulnerable versions of Apache HTTP Server and other products that utilize mod_proxy.
4
Can CVE-2024-38477 be exploited remotely?
Yes, CVE-2024-38477 can be exploited remotely by sending specially crafted requests to vulnerable servers.
5
What are the consequences of CVE-2024-38477 exploitation?
Exploitation of CVE-2024-38477 can lead to a denial of service, making affected services unavailable.