Apache has issued a patch that addresses a zero day vulnerability in its HTTP web server project. Apache is an open-source web server for Unix and Windows that is among the most widely used web servers in the world. Successful exploitation could allow unauthorized users to trick the web server into returning files they should not be able to access, which could lead to further attacks or the compromise of data.
Attackers could use a path traversal attack to map URLs to files outside the expected document root, accessing unauthorized files.
Apache has issued a patch for CVE-2021-41773 that addresses a vulnerability in its HTTP web server 2.4.49. This vulnerability allows attackers to map URLs to files outside the expected document root and could leak the “source of interpreted files like CGI scripts ,” which can lead to further attacks.
This vulnerability affects all files outside of the document root that are not protected by the 'require all denied' setting.
Positive Technologies Offensive Team was able to reproduce the path traversal exploit, and posted this proof of concept on their Twitter account.
According to Tenable, “Just under 112,000 Apache HTTP Servers are running the vulnerable version.” Since version 2.4.49 was released just over 2 weeks ago, it’s likely that many admins have not yet updated their servers to this version. If this is the case, it is recommended to skip version 2.4.49 and patch directly to 2.4.50.
INDICATORS OF VULNERABILITY
Any Apache HTTP Servers running version 2.4.49 (this vulnerability does not affect older versions) are currently exposed.
Files outside of the document root not protected by ‘require all denied' are at risk.
Apache Web Servers should be updated to version 2.4.50 immediately.
Administrators should protect files outside of the document root with ‘require all denied'.
- Daniel Mervis, Cyber Security Analyst
- Samuel Bourgeois, vCISO
- Stephen Jones, Senior Director Cybersecurity