Description

A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).

Source: CVE-2021-44224

Hosted clients

31.01.2022. - 09:40

Some hosted codebeamer instances are unaccessible, or accessible but the login fails (codebeamer showing there is maintenance going on).

This is due to an ongoing attempt to gain control over Apache server, exploiting the CVE-2021-44224 vulnerability. Intland Software is working on the solution, which will probably take one day.

Every relevant information will be available on this page, as progress is made.

31.01.2022. - 12:04

DevOps changed the deployment configuration in order to remove Apache server, HTTPS requests will be handled by Tomcat itself.

31.01.2022. - 12:39

Fix has been tested on internal server, DevOps team will start the roll out for hosted clients.

31.01.2022. - 20:38

Instances without SVN access should work from now. The instances with SVN will be updated on 01 February 2022.

02.02.2022. - 09:58

The fix has been implemented 99% for our hosted customers.