Apache HTTP Server project patches exploited zero-day vulnerability

The developers behind the Apache HTTP Server project urge users to immediately apply a patch to resolve a zero-day vulnerability.

According to a security advisory dated October 5, the bug is known to be actively exploited in the wild.

Apache HTTP Server is a popular open source project focused on developing HTTP server software suitable for operating systems including UNIX and Windows.

The release of Apache HTTP Server version 2.4.49 fixed a large number of security vulnerabilities, including a validation bypass bug, a NULL pointer dereference, a denial of service issue, and a severe Server- type vulnerability. Side Request Forgery (SSRF).

However, the update also inadvertently introduced a separate critical issue – a path traversal vulnerability that can be exploited to map and disclose files.

Tracked as CVE-2021-41773, the security vulnerability was discovered by Ash Daulton of the cPanel security team during a change to the path standardization in the server software.

“An attacker could use a path traversal attack to map URLs to files outside of the expected document root,” the developers say. “If files outside of the document root are not ‘Require All Denied’ protected, these requests may be successful.” In addition, this flaw could disclose the source of files interpreted as CGI scripts. ”

Positive technologies have reproduced the bug and Will Dormann, vulnerability analyst at CERT / CC, say that if mod-cgi feature is enabled on Apache HTTP Server 2.4.49 and the default Require All Denied feature is missing, then “CVE-2021-41773 is as RCE [remote code execution] As things progress.”

CVE-2021-41773 only affects Apache HTTP Server 2.4.49 as introduced in this update and therefore earlier versions of the software are not affected.

Yesterday, researchers at Sonatype said that around 112,000 Apache servers are running the vulnerable version, of which around 40% are located in the United States.

The vulnerability was reported privately on September 29, and a patch was included in version 2.4.50, released October 4. It is recommended that users update their software versions as soon as possible.

Prior and related coverage

Do you have any advice? Contact us securely via WhatsApp | Call +447 713 025 499, or Keybase: charlie0

Comments are closed.