PR-001 (#850)

commit-001

docs/advisories/20240708001-Apache-HTTP-Server-Critical-Source-Code-Disclosure-Vulnerability.md

@@ -0,0 +1,24 @@
+# Apache HTTP Server Critical Source Code Disclosure Vulnerability - 20240708001
+
+## Overview
+
+The WA SOC has been made aware of a vulnerability in Apache HTTP Server 2.4.60 where a regression in the core of Apache HTTP Server 2.4.60 ignores some use of the legacy content-type based configuration of handlers. "AddType" and similar configuration, under some circumstances where files are requested indirectly, result in source code disclosure of local content.
+
+## What is vulnerable?
+
+| Products Affected                                                                                                      | CVE                                                               | CVSS | Severity |
+| ---------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | ---- | -------- |
+| Apache HTTP Server 2.4.60 | [CVE-2024-39884](https://nvd.nist.gov/vuln/detail/CVE-2024-39884) | 7.5  | High     |
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- Users are recommended to upgrade to version 2.4.61. The Apache HTTP Server Project: <https://httpd.apache.org/security/vulnerabilities_24.html>
+
+## Additional References
+- THECYBERTHRONE: <https://thecyberthrone.in/2024/07/05/apache-releases-new-http-server-version-fixes-cve-2024-39884/>