The Apache Software Foundation has released version 2.4.50 of its HTTP Web Server, addressing two vulnerabilities. One of these vulnerabilities is a path traversal and file disclosure vulnerability that is being actively exploited in attacks.
https://httpd.apache. org/security/vulnerabilities_24.html
The Apache HTTP Server is an open source, cross-platform web server that is very popular for its versatility, robustness, and free of charge. Therefore, a vulnerability in this product can have a widespread impact.
This vulnerability, tracked as CVE-2021-41773, allows a path traversal attack to map a URL to a file outside of the expected document root.
https://www.cve.org/CVERecord? id=CVE-2021-41773
A vulnerability existed in a change made in Apache HTTP Server 2.4.49 regarding path normalization. An attacker could use a path traversal attack to map a URL to a file outside the expected document root. If files outside the document root are not protected by “require all denied”, these requests can succeed.
In addition, this vulnerability can lead to the disclosure of the source of interpreted files, such as CGI scripts. This issue has already been known to be exploited. This issue only affects Apache 2.4.49 and does not affect earlier versions.
What is a path traversal attack
Path traversal attacks send requests to access backend or sensitive server directories. Normally, these requests are blocked, but in this case, we bypassed the filter by using encoded characters (ASCII) in the URL.
When this vulnerability is disclosed, administrators are warned that it should be patched immediately.
A search of Shodan shows that over 100,000 units of Apache HTTP Server 2.4.49 are deployed online, many of which could be exploited, so it is imperative that the software be updated as soon as possible. https://twitter.com/ptswarm/status/1445376079548624899
Recreation of CVE-2021-41773, a new path traversal vulnerability in Apache 2.4.49.
If files outside the document root are not protected by “require all denied”, these requests may succeed.
Please apply the patch as soon as possible.
This vulnerability was discovered and reported to Apache by security researcher Ash Daulton and the cPanel Security Team on September 29, 2021. Because it is a vulnerability that is being actively used in attacks, its patching was done fairly quickly.
At this time, it is not known how this vulnerability is being used in an attack, but Apache has reported that
Apache HTTP Server 2.4.49 was just released a few weeks ago, so many users probably haven’t upgraded yet. How this issue is exploited depends largely on how the user configures the server; if you are using 2.4.49, we recommend that you upgrade to the latest version rather than using the access control settings as a mitigation.
In addition, even if it is installed by default, an attacker can use this vulnerability to obtain the source code of CGI scripts and other interpreted files.
The second vulnerability, CVE-2021-41524, is a NULL pointer dereference detected during HTTP/2 request processing. This vulnerability allows an attacker to launch a denial of service (DoS) attack against a server.
This vulnerability also exists only in version 2.4.49 of Apache Server, but it is not actively being used for attacks.
https://cve.mitre .org/cgi-bin/cvename.cgi?name=CVE-2021-41524
Comments