Apache HTTP Server Zero-day Vulnerability Exploited in the Wild, Users Should Patch ASAP
Over 100,000 Apache HTTP Server 2.4.49 Exposed.
Last updated on October 6, 2021
Apache HTTP Server users have been advised to patch as soon as possible as a zero-day bug in the open-source cross-platform web server software is actively being exploited in the wild. At this time, it seems that over 100.000 servers have been vulnerable to attacks.
A few days after the Apache HTTP Server developers were notified about the vulnerability, Apache Software Foundation released version 2.4.50 in order to address it.
Cybersecurity specialist Ash Daulton was the one who found and reported the flaw to Apache HTTP Server on September 29, 2021.
The vulnerability exploited in the wild is tracked as CVE-2021-41773 and, according to researchers, is a path traversal and file disclosure flaw in the previous version (2.4.49).
What Is Apache HTTP Server?
The Apache HTTP Server is a free and open-source cross-platform web server software, developed and maintained by an open community of developers under the guidance of the Apache Software Foundation.
Most of the open-source HTTP Server instances run on a Linux distribution but current versions also run on Microsoft Windows, OpenVMS, and a wide variety of Unix-like systems.
An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by ‘require all denied’ these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.
It is still unknown how the vulnerability is being exploited in attacks. When asked about the incident, Apache said to BleepingComputer:
As Apache HTTP Server 2.4.49 was only released a few weeks ago it’s likely many users will not have upgraded yet. If and how this issue can be exploited is highly dependent on how users will have configured the server. If you are using 2.4.49, it is recommended that you upgrade to the latest version instead of using access control configuration as mitigation.
On a default installation, an attacker could still use the flaw to obtain the source code of interpreted files like CGI scripts.
The new Apache HTTP Server Version 2.4.50 also includes a patch for a null pointer dereference vulnerability that can be exploited for denial-of-service (DoS) attacks, CVE-2021-41524. The issue was discovered and fixed a few weeks ago, and there is no evidence that it had been used in malicious activities.
As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.