Support Center > Search Results > SecureKnowledge Details
Check Point response to Apache CVEs - November 2021 for httpd versions between 2.4.41 and 2.4.51 Technical Level
Solution

In November 2021, Apache open source published CVEs for httpd versions between 2.4.41 and 2.4.51 (see the list of the CVEs in the "Cause" section).

Check Point uses the Apache HTTP Server as the Web server for several of its user portals on both the Security Gateway (Gaia Portal, Identity Awareness Captive Portal, Mobile Access Portal, and so on) and the Management Server (Gaia Portal, Management Portal, and so on).

No CVE in the list below compromises Check Point products.

Show / Hide this section

For these CVEs in the Apache vulnerability publication, we recommend to install the applicable Hotfix package to improve the stability of user portals:

Note - CVEs listed in this table were analyzed for Check Point versions from R77.30 to R81.10.

Enter the string to filter this table:

CVE Severity Description Comments
CVE-2020-13950 Low mod_proxy_http can be made to crash (NULL pointer dereference) with specially crafted requests using both Content-Length and Transfer-Encoding headers, leading to a Denial of Service No known exploit in Check Point products. Can cause DoS - web service goes down one time and is able to restart.
CVE-2021-26690 Low A specially crafted Cookie header handled by mod_session can cause a NULL pointer dereference and crash, leading to a possible Denial Of Service No known exploit in Check Point products. Can cause DoS - web service goes down one time and is able to restart.
CVE-2021-26691 Low A specially crafted SessionHeader sent by an origin server could cause a heap overflow No known exploit in Check Point products. Can cause heap overflow that in turn can cause DoS - web service goes down one time and is able to restart.
CVE-2021-34798 Moderate Malformed requests may cause the server to dereference a NULL pointer. No known exploit in Check Point products. Can cause DoS - web service goes down one time and is able to restart.
CVE-2021-40438 High A crafted request uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user. User interaction is required (clicking a malicious link).

For these CVEs in the Apache vulnerability publication, remediation is not required (Check Point products are not vulnerable):

Note - CVEs listed in this table were analyzed for Check Point versions from R80.10 to R81.10.

Enter the string to filter this table:

CVE Severity Description Comments
CVE-2019-17567 Moderate mod_proxy_wstunnel configured on a URL that is not necessarily upgraded by the origin server, was tunneling the whole connection regardless, thus allowing for subsequent requests on the same connection to pass through with no HTTP validation, authentication or authorization possibly configured.  
CVE-2020-9490 Important Apache HTTP Server versions 2.4.20 to 2.4.43.
A specially crafted value for the 'Cache-Digest' header in an HTTP/2 request results in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards.
Configuring the HTTP/2 feature via "H2Push off" mitigates this vulnerability for unpatched servers.
 
CVE-2020-1927 Low Apache HTTP Server versions 2.4.0 to 2.4.41.
Some mod_rewrite configurations vulnerable to open redirect.
 
CVE-2020-1934 Low Apache HTTP Server versions 2.4.0 to 2.4.41.
mod_proxy_ftp use of uninitialized value with malicious FTP backend.
 
CVE-2020-11984 Moderate Apache HTTP Server versions 2.4.32 to 2.4.43.
mod_proxy_uwsgi info disclosure and possible RCE.
 
CVE-2020-11993 Moderate Apache HTTP Server versions 2.4.20 to 2.4.43.
When trace/debug was enabled for the HTTP/2 module and on certain traffic edge patterns, logging statements were made on the wrong connection, causing concurrent use of memory pools.
Configuring the LogLevel of mod_http2 above "info" mitigates this vulnerability for unpatched servers.
 
CVE-2020-13938 Moderate Unprivileged local users can stop httpd on Windows  
CVE-2020-35452 Low Apache HTTP Server 2.4.0 to 2.4.46.
A specially crafted Digest nonce can cause a stack overflow in mod_auth_digest. There is no report of this overflow being exploitable, nor the Apache HTTP Server team could create one, though some particular compiler and/or compilation option might make it possible, with limited consequences anyway due to the size (a single byte) and the value (zero byte) of the overflow.
 
CVE-2021-30641 Moderate Apache HTTP Server versions 2.4.39 to 2.4.46 Unexpected matching behavior with 'MergeSlashes OFF'  
CVE-2021-31618 Important Apache HTTP Server protocol handler for the HTTP/2 protocol checks received request headers against the size limitations as configured for the server and used for the HTTP/1 protocol as well. On violation of these restrictions, an HTTP response is sent to the client with a status code indicating why the request was rejected.
This rejection response is not fully initialized in the HTTP/2 protocol handler if the offending header is the very first one which is received or appears in the footer. This leads to a NULL pointer dereference on initialized memory, crashing reliably the child process. Because such a triggering HTTP/2 request is easy to craft and submit, this can be exploited to DoS the server.
The Apache HTTP Server version which contains this CVE was never actually released by Apache (mod_http2 1.15.17 and Apache HTTP Server version 2.4.47 only).
CVE-2021-33193 Moderate Request splitting via HTTP/2 method injection and mod_proxy.
A crafted method sent through HTTP/2 bypasses validation and forwarded by mod_proxy, which can lead to request splitting or cache poisoning.
 
CVE-2021-36160 Moderate A carefully crafted request uri-path can cause mod_proxy_uwsgi to read above the allocated memory and crash (DoS).  
CVE-2021-39275 Low ap_escape_quotes() may write beyond the end of a buffer when given malicious input.
No included modules pass untrusted data to these functions, but third-party / external modules may.
 
CVE-2021-41524 Moderate While fuzzing the 2.4.49 httpd, a new null pointer dereference is detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.
CVE-2021-41773 Critical A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.
If files outside these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.
This issue is known to be exploited in the wild.
This issue only affects Apache 2.4.49 and not earlier versions.
CVE-2021-42013 Critical Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773).
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.
If files outside these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.
This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.

For supported versions, Check Point upgraded the Apache HTTP Server to version 2.4.51.

This upgraded Apache HTTP Server is integrated into Jumbo Hotfix Accumulators:

Check Point Version Jumbo Hotfix Take
R81.10 Take 22
R81 Take 51
R80.40 Take 138
R80.30 3.10 Take 241
R80.30 Take 241
R80.20 Take 205
R80.10 Take 298

For lower takes of Jumbo Hotfix Accumulators, Check Point offers a hotfix package:

Show / Hide this section
Check Point Version Required
Jumbo Hotfix
Take
CPUSE Online Package Identifier CPUSE Offline Hotfix Package
R81.10 Take 9 fw1_wrapper_HOTFIX_R81_10_JHF_T9_APACHE2_4_51_MAIN_GA_FULL.tgz (TAR)
R81 Take 44 fw1_wrapper_HOTFIX_R81_JHF_T44_APACHE2_4_51_MAIN_GA_FULL.tgz (TAR)
R80.40 Take 125 fw1_wrapper_HOTFIX_R80_40_JHF_T125_APACHE2_4_51_MAIN_GA_FULL.tgz (TGZ)
R80.30SP Take 75 fw1_wrapper_HOTFIX_R80_30SP_JHF_T75_PACHE2_4_51_MAIN_GA_FULL.tgz (TGZ)
R80.30 3.10 Take 237 fw1_wrapper_HOTFIX_R80_30_GOGO_T237_APACHE2_4_51_MAIN_GA_FULL.tgz (TGZ)
R80.30 Take 237 fw1_wrapper_HOTFIX_R80_30_JHF_T237_APACHE2_4_51_MAIN_GA_FULL.tgz (TGZ)
R80.20SP Take 317 fw1_wrapper_HOTFIX_R80_20SP_JHF_T317_APACHE2_4_51_MAIN_GA_FULL.tgz (TGZ)
R80.20 Take 203 fw1_wrapper_HOTFIX_R80_20_JHF_T203_APACHE2_4_51_MAIN_GA_FULL.tgz (TGZ)
R80.10 Take 290 fw1_wrapper_HOTFIX_R80_10_JHF_T290_APACHE2_4_51_GA_FULL.tgz (TGZ)

Notes:

  • For CloudGuard Network for AWS Gateway Load Balancer, install an R80.40 AWS GWLB image Build R80.40-294.943
  • For Quantum Spark Appliances with R80.20.X Gaia Embedded, install R80.20.35 Build 992002577 from sk174683
  • Refer to sk168597 - How to install a Hotfix

Check Point recommends to always upgrade to the most recent version (Security Gateway / VSX / Security Management Server / Multi-Domain Security Management Server / SmartConsole).

Revision History

Show / Hide this section
Date Description
12 Feb 2022
  • In the "Solution" section - added the Takes of Jumbo Hotfix Accumulators that contain the upgraded Apache HTTP Server
19 Dec 2021
  • In the "Solution" section - added the note about R80.20.35 Build 992002577 for Quantum Spark Appliances with R80.20.X Gaia Embedded
08 Dec 2021
  • In the "Solution" section - added the note about R80.40 AWS GWLB image Build R80.40-294.943
02 Dec 2021
  • In the "Cause" section - Moved CVE-2020-13950 to the table of CVEs, for which we recommend to install the applicable hotfix package to improve the stability of user portals
  • In the "Cause" section - Restored CVE-2021-33193 and moved it to the table of CVEs, for which remediation is not required (Check Point products are not vulnerable)
01 Dec 2021
  • In the "Cause" section - Removed CVE-2021-33193 because Check Point does not use HTTP/2 for the user portals
  • In the "Cause" section - Added the list of versions, for which the CVEs were analyzed
  • In the "Solution" section - The recommended hotfix is provided for supported versions (see Support Life Cycle Policy)
28 Nov 2021
  • In the "Solution" section - Added the official packages for Scalable Platforms R80.20SP and R80.30SP
  • Added the "Revision History" section
18 Nov 2021 Updated the text in the "Cause" section:
  • User portals on Security Gateways are Gaia Portal, Identity Awareness Captive Portal, Mobile Access Portal, and so on
  • User portals on Management Servers are Gaia Portal, Management Portal, and so on
  • We recommend to install the applicable hotfix package to improve the stability of user portals
17 Nov 2021 In the "Product" field (in the header of this article) - Updated the list products
14 Nov 2021 First release of this article

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment