CVE-2021-40438

What is Apache mod_proxy?

Apache mod_proxy is the Apache HTTP Server module that enables proxy and reverse-proxy functionality — allowing Apache to forward incoming HTTP requests to backend origin servers. It is widely used to front-end application servers (Tomcat, Node.js, Python WSGI) with Apache handling SSL termination, load balancing, and caching. Because mod_proxy forwards requests to internal servers, SSRF vulnerabilities in it can be used to access internal network services that are not directly reachable from the internet.

Overview

CVE-2021-40438 is a server-side request forgery (SSRF) vulnerability (CWE-918) in Apache HTTP Server's mod_proxy module. When mod_proxy is enabled, a crafted request URI-path can cause mod_proxy to forward the request to an origin server chosen by the remote attacker — rather than the configured backend. This allows an unauthenticated attacker to make the Apache server proxy arbitrary HTTP requests to internal or external hosts. Apache fixed this in version 2.4.49; CISA added it to KEV in December 2021.

Affected Versions

Technical Details

The vulnerability exists in mod_proxy's handling of request URI-paths. When mod_proxy is configured as a reverse proxy (ProxyPass directives), certain crafted URI sequences cause the module to parse the forward destination from the attacker-controlled URI rather than the configured ProxyPass target:

• Root cause: SSRF (CWE-918) — mod_proxy's URI-path parsing allows attacker-controlled values to override the configured proxy destination
• Attack vector: Crafted HTTP request with a specially constructed URI-path sent to any endpoint that passes through mod_proxy
• SSRF targets: Internal services not reachable from the internet, including administrative interfaces, metadata services (AWS IMDS), internal APIs, and backend applications that whitelist the Apache server's IP
• Authentication bypass: If internal services trust requests from the Apache server IP, the SSRF bypasses those services' network-based authentication
• Scope Changed: The CVSS "Scope Changed" metric reflects that the vulnerability enables access to resources beyond the direct scope of the Apache server (internal network services)

Discovery

Identified by the Apache Security Team. The fix was included in Apache 2.4.49 alongside the path traversal vulnerability CVE-2021-41773 (unrelated root cause but same release).

Exploitation Context

Apache with mod_proxy enabled is one of the most common web server configurations in enterprise environments — it is the standard reverse proxy setup for most Apache-fronted application deployments. An SSRF in this position allows attackers to reach internal services behind the web server. The CISA KEV addition in December 2021 reflects confirmed exploitation in the wild against unpatched deployments. Internal metadata services (AWS IMDSv1, GCP metadata) are particularly vulnerable targets — SSRF to these services can retrieve cloud credentials.

Remediation

1. Upgrade Apache HTTP Server to version 2.4.49 or later (which fixes CVE-2021-40438)
2. If running Apache 2.4.49, also apply the 2.4.51 update for CVE-2021-41773/CVE-2021-42013
3. Apply ProxyRequests Off and restrict mod_proxy usage to explicitly defined backends
4. Implement AllowedConnectPorts and ProxyPassMatch restrictions to limit which hosts mod_proxy can forward to
5. Block access to cloud metadata endpoints (169.254.169.254) from the Apache server via OS-level firewall rules as defense-in-depth
6. Review Apache ProxyPass configuration for unnecessarily broad forwarding rules