CVE-2021-40438: 
Apache HTTP Server vulnerability analysis and mitigation

A Server-Side Request Forgery (SSRF) vulnerability (CVE-2021-40438) was discovered in modproxy of Apache HTTP Server 2.4.48 and earlier versions. The vulnerability allows a remote, unauthenticated attacker to force vulnerable HTTP servers to forward requests to arbitrary servers via a crafted request uri-path ([Apache Security](https://httpd.apache.org/security/vulnerabilities24.html), Red Hat CVE).

The vulnerability resides in modproxy and allows remote, unauthenticated attackers to force vulnerable HTTP servers to forward requests to arbitrary servers. The vulnerability has a CVSSv3 score of 9.0 indicating critical severity. The issue affects Apache HTTP Server versions 2.4.48 and earlier when modproxy is enabled (Rapid7 Blog).

Successful exploitation could allow attackers to obtain or tamper with resources that would potentially otherwise be unavailable to them. Since Apache HTTP Server is commonly bundled across a wide ecosystem of products, the vulnerability has broad impact potential. The vulnerability could be used to bypass IP-based authentication on origin servers/applications (Rapid7 Blog).

The vulnerability is patched in Apache HTTP Server version 2.4.49 and later. Users are strongly recommended to upgrade to the latest version. Apache httpd customers should upgrade to the latest version instead of upgrading incrementally, as versions 2.4.49 and 2.4.50 included other severe vulnerabilities. Special attention should be paid to firewall and security boundary product advisories (Rapid7 Blog).

Cisco identified more than 20 of their products, including network infrastructure solutions and security boundary devices, as potentially affected by this vulnerability. The vulnerability has been added to CISA's list of Known Exploited Vulnerabilities with a specified remediation date of December 15, 2021 for federal agencies (Rapid7 Blog).