Summary

On 5th October, Apache released HTTP 2.4.50 to fix an actively exploited vulnerability which was found in version 2.4.49. This vulnerability is a path traversal vulnerability tracked as CVE-2021-41773. “An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.” Apache mentioned in the security advisory they released.

After the release researchers analyzed and started to exploit the vulnerability. Research was able to figure out that the vulnerability allows remote code execution when mod-cgi is enabled.

However, on 7th October Apache was able to fix this incomplete patch. Apache released HTTP 2.4.51. fixing the incomplete fix of the path Traversal Vulnerability and Remote code Execution tracked as CVE-2021-42013. “It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.”

These two vulnerabilities now publicly disclosed and is actively exploited in ongoing attacks. Administrates are strongly advised to update to HTTP 2.4.51. fixing as soon as possible.

Impact

• Allows threat actors to view the contents of files stored on a vulnerable server.

Remediate

• Update Apache HTTP servers to the latest version 2.4.51

References

• https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-42013
• https://us-cert.cisa.gov/ncas/current-activity/2021/10/07/apache-releases-http-server-version-2451-address-vulnerabilities
• https://www.bleepingcomputer.com/news/security/apache-emergency-update-fixes-incomplete-patch-for-exploited-bug/