There are reports of active attacks on Apache servers.
Apache HTTP Server 2.4.48 and earlier are vulnerable to a server-side request forgery (SSRF) flaw, allowing attackers to send crafted requests via a vulnerable server (turning it into a proxy) to target internal resources behind firewalls or arbitrary external systems.
The CVSS (Common Vulnerability Scoring System) score for this vulnerability is critical, 9 on a scale of 10. This vulnerability, tracked as CVE-202-40438, prompted CISA (Cybersecurity & Infrastructure Security Agency) to add it to their Known Exploited Vulnerabilities Catalog on December 1.
CVE-2021-40438 is patched in Apache HTTP Server 2.4.49 and later.