Contents:
Earlier this week, Apache HTTP Server users have been urged to immediately patch as a zero-day bug in the open-source cross-platform web server software is actively being exploited in the wild.
Apache Software Foundation released version 2.4.50 in order to address CVE-2021-41773, a path traversal and file disclosure flaw in the previous version (2.4.49).
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root
If files outside of the document root are not protected by “require all denied” these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.
Apache Issues a New Patch
Yesterday, the organization issued the HTTP Web Server 2.4.51 version as the previous fix didn’t work as expected, being incomplete.
The Apache HTTP Server is a free and open-source cross-platform web server software, developed and maintained by an open community of developers under the guidance of the Apache Software Foundation.
Most of the open-source HTTP Server instances run on a Linux distribution but current versions also run on Microsoft Windows, OpenVMS, and a wide variety of Unix-like systems.
As we said in our previous article, there were approximately 112,000 potentially exposed servers all over the world including United States (43,000), Germany (12,000), Canada (10,000), France (7,000), and the United Kingdom (4,000).
According to developers,
An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.
If files outside of these directories are not protected by the usual default configuration ‘require all denied’, these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.
Given the fact that so many servers are exposed to the vulnerability, the need for administrators to upgrade their Apache HTTP servers becomes even more crucial.
What Happened After the Last Fix?
Yesterday, Apache Software Foundation issued version 2.4.51 after it realized that the previously released patch for CVE-2021-41773 vulnerability was not sufficient.
The new patch addresses path traversal and remote code execution flaws CVE-2021-41773 and CVE-2021-42013, existing in Apache HTTP Server versions 2.4.49 and 2.4.50.
The security researchers Juan Escobar from Dreamlab Technologies, Fernando Muñoz from Null Life CTF Team, and Shungo Kumasaka were the ones to discover the incomplete patch for the CVE-2021-41773 flaw, as well as the new vulnerability – CVE-2021-42013.
According to the United States Computer Emergency Readiness Team (US-CERT), the newly discovered issue is also being used in ongoing campaigns.
? Active scanning of Apache HTTP Server CVE-2021-41773 & CVE-2021-42013 is ongoing and expected to accelerate, likely leading to exploitation. Please patch immediately if you haven’t already—this cannot wait until after the weekend. Read more: https://t.co/4Ljk730wz4 pic.twitter.com/TYPiXhOluf
— US-CERT (@USCERT_gov) October 7, 2021
System administrators are advised to upgrade their servers to the new version as soon as possible.