Apache HTTP Server Vulnerabilities

Apache recently released security updates for two vulnerabilities, Path Traversal Vulnerability (CVE-2021-41773) and Remote Code Execution Vulnerability (CVE-2021-42013), in their HTTP servers.  An attacker could exploit these vulnerabilities to take control of an affected system, and the vulnerabilities have been exploited in the wild.  System owners of the affected Apache HTTP servers versions are urged upgrade their systems as soon as possible.

 

Vulnerabilities

  • Path Traversal Vulnerability (CVE-2021-41773)
    • Affecting Apache HTTP server version 2.4.49 only.
    • A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied”, these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts.
  • Remote Code Execution Vulnerability (CVE-2021-42013)
    • Affecting Apache HTTP server version 2.4.49 and 2.4.50 only
    • It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives, and the flaw could allow for remote code execution.

 

Severity Level

  • Critical

 

Affected Systems

  • Apache HTTP Server version 2.4.49
  • Apache HTTP Server version 2.4.50

 

Remediation

  • Upgrade the Apache HTTP server to the latest version 2.4.51 [Updated on 2021-10-08] as soon as possible.

 

Reference

 

Enquiry

 

 

Published on: 8 Oct 2021