CVE-2021-44224
A crafted URI sent to httpd configured as a forward proxy (ProxyRequests on) can cause a crash (NULL pointer dereference) or, for configurations mixing forward and reverse proxy declarations, can allow for requests to be directed to a declared Unix Domain Socket endpoint (Server Side Request Forgery). This issue affects Apache HTTP Server 2.4.7 up to 2.4.51 (included).
Relation to the VSys family of tools
Certain versions of VSys Live, VSys Live Kiosk and VSys Anywhere are potentially subject to this vulnerability. In cases where VSys may be vulnerable,
the only risk is that of a direct Denial of Service attach in which the vulnerability is used to crash Apache. There are no information disclosure or remote
access concerns for this due to the way that VSys uses Apache.
Remediation
Apache 2.43.52 is being validated and will be deployed to all hosted customer sites within the next 30 days. On-premise customers can contact our support team
to update Apache; that update process will take under 30 minutes with minimal downtime.