Apache HTTP Server Critical Source Code Disclosure Vulnerability - 20240708001

Overview

The WA SOC has been made aware of a vulnerability in Apache HTTP Server 2.4.60 where a regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content.

What is vulnerable?

Products Affected	CVE	CVSS	Severity
Apache HTTP Server 2.4.60	CVE-2024-39884	7.5	High

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 48 hours (refer Patch Management):

• Users are recommended to upgrade to version 2.4.61. The Apache HTTP Server Project: https://httpd.apache.org/security/vulnerabilities_24.html

Additional References

• THECYBERTHRONE: https://thecyberthrone.in/2024/07/05/apache-releases-new-http-server-version-fixes-cve-2024-39884/