Critical Vulnerability in Apache HTTP Server

Published on 06 Oct 2021

Updated on 08 Oct 2021

Second update on 8 Oct 2021.

Apache has released a new security update to address Path Traversal and Remote Code Execution vulnerabilities (CVE-2021-41773, CVE-2021-42013) in Apache HTTP Server 2.4.49 and 2.4.50.

Administrators should upgrade to the latest version (2.4.51) immediately.

 

First update on 7 Oct 2021.

Security researchers have verified that besides path traversal, the vulnerability can also be used for remote code execution when specific conditions are met.

Administrators should upgrade to the latest version immediately.

 

Original alert published on 6 Oct 2021:

Apache has released security updates to address a critical vulnerability (CVE-2021-41773) found in their HTTP server. This vulnerability allows attackers to map URLs to files easily via a path traversal attack. Successful exploitation of this vulnerability may allow attackers to gain access to arbitrary files on the affected server. 

This vulnerability affects only version 2.4.49 of the Apache HTTP Server.

Administrators of the affected version are advised to upgrade to the latest version immediately.

 

More information is available here:

https://httpd.apache.org/security/vulnerabilities_24.html

https://blog.sonatype.com/apache-servers-actively-exploited-in-wild-importance-of-prompt-patching

https://www.rapid7.com/blog/post/2021/10/06/apache-http-server-cve-2021-41773-exploited-in-the-wild/

https://www.bleepingcomputer.com/news/security/actively-exploited-apache-0-day-also-allows-remote-code-execution/

https://www.us-cert.cisa.gov/ncas/current-activity/2021/10/07/apache-releases-http-server-version-2451-address-vulnerabilities/