In November 2021, Apache open source published CVEs for httpd versions between 2.4.41 and 2.4.51 (see the list of the CVEs in the "Cause" section).
Check Point uses the Apache HTTP Server as the Web server for several of its user portals on both the Security Gateway (Gaia Portal, Identity Awareness Captive Portal, Mobile Access Portal, and so on) and the Management Server (Gaia Portal, Management Portal, and so on).
No CVE in the list below compromises Check Point products.
mod_proxy_wstunnel configured on a URL that is not necessarily upgraded by the origin server, was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in an HTTP/2 request results in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" mitigates this vulnerability for unpatched servers.
Apache HTTP Server versions 2.4.20 to 2.4.43. When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools. Configuring the LogLevel of mod_http2 above "info" mitigates this vulnerability for unpatched servers.
Apache HTTP Server 2.4.0 to 2.4.46. A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow.
Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions, an HTTP response is sent to the client with a status code indicating why the request was rejected. This rejection response is not fully initialized in the HTTP/2 protocol handler if the offending header is the very first one which is received or appears in the footer. This leads to a NULL pointer dereference on initialized memory, crashing reliably the child process. Because such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server.
The Apache HTTP Server version which contains this CVE was never actually released by Apache (mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only).
Request splitting via HTTP/2 method injection and mod_proxy. A crafted method sent through HTTP/2 bypasses validation and forwarded by mod_proxy, which can lead to request splitting or cache poisoning.
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution. This issue is known to be exploited in the wild.
This issue only affects Apache 2.4.49 and not earlier versions.
Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773). It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.
This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.