What is Apache HTTPD server Lua module Vulnerability? | CVE-2021-44790

This was disclosed to Apache team on Dec 16th and was fixed in 2.4.52 Release on Dec20th. This has CVSS score of 9.8 which means it so critical that servers across the Web might need to patched up if the lua_module is enabled in httpd configuration. But there might not be much to worry as far this CVE is concerned as lua module is disabled by default in most httpd configurations and also it’s not loaded. But let us see what are corrective steps that should be taken to migitate this Vulnerability in the below steps

Mitigation Steps for CVE-2021-44790:

Step 1: Open httpd.conf file

Step 2: Check for either of the below lines in httpd.conf

 AddHandler lua-script .lua

<Files "*.lua">
    SetHandler lua-script

If you find either of these in httpd.conf , then comment out the lines as shown and reload the httpd or restart the httpd. Commenting out these lines would prevent any lua scripts from any getting executed.

Step 3: And also we may need to disable lua modules to prevent this exploit.To do that search for below lines in httpd.conf and comment out the line LoadModule

In some installations of Apache, there might be separate configurations for mod_lua which needs to be commented out in a different file (Plesk installations)

Scroll to Top