search cancel

Vulnerable Apache httpd version 2.4.x < 2.4.52 in SEPM (CVE-2021-44790 and CVE-2021-44224)


Article ID: 238447


Updated On:


Endpoint Protection


There is a finding related to Apache httpd version  in SEPM in Qualys vulnerability scan.

"Apache 2.4.x < 2.4.52 Multiple Vulnerabilities"

CVE-2021-44790 and CVE-2021-44224



Apache 2.4.x < 2.4.52 Multiple Vulnerabilities 

The version of Apache httpd installed on the remote host is prior to 2.4.52. It is, therefore, affected by multiple vulnerabilities as referenced in the 2.4.52 advisory.

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included). (CVE-2021-44224)
A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts). The Apache httpd team is not aware of an exploit for the vulnerabilty though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier. (CVE-2021-44790)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

NASL Family
Web Servers



The version of Apache httpd installed on the remote host is prior to 2.4.52(SEPM prior 14.3 RU5)



SEPM is not vulnerable for both of them:

Not vulnerable. mod_lua is not deployed with SEPM.

Not vulnerable. Forward proxy is not a default configuration for SEPM.
* However if the customer changes the default configuration and enables forward proxy for their own use, then their site may become vulnerable since our Apache httpd versions are affected.
* We have a KB for using SEPM Apache as a reverse proxy (, and that is also not affected.

The scanner only reports on versions of httpd installed, SEPM is not impacted.

However, if you still want to perform the httpd version upgrade, 2.4.52+ version will be available in 14.3 RU5+ releases