Something very interesting about this vulnerability is that 3 different CVEs related to it have been released.
Originally CVE-2021-44228 was released, which indicated that the library was vulnerable until version 2.15.0, which fixed the problem.
However, within two weeks of the release of this first vulnerability, CVE-2021-45046 was released, indicating that the way in which the vulnerability was fixed was incomplete, and that the library needed to be updated to version 2.16.0.
But two days after this new CVE was released, a third one came out indicating that the vulnerability had not been fixed in all cases and was still exploitable, so it was necessary to update to version 2.17.0.
Although it may seem strange that Apache has not been able to fix this vulnerability in one go, it is normal given that these types of vulnerabilities appear in the form of 0day and require an immediate code fix by the vendor. When you have thousands of companies using your services and providing services to millions of concerned callers, the pressure can be extremely high and these bugs can occur.
Be First to Comment