Apache HTTP Server Project patches exploited zero-day vulnerability

The critical vulnerability is being actively exploited in the wild.

Developers behind the Apache HTTP Server Project are urging users to apply a fix immediately to resolve a zero-day vulnerability. 

According to a security advisory dated October 5, the bug is known to be actively exploited in the wild. 

Apache HTTP Server is a popular open source project focused on the development of HTTP server software suitable for operating systems including UNIX and Windows.

The release of Apache HTTP Server version 2.4.49 fixed a slew of security flaws including a validation bypass bug, NULL pointer dereference, a denial-of-service issue, and a severe Server-Side Request Forgery (SSRF) vulnerability. 

However, the update also inadvertently introduced a separate, critical issue: a path traversal vulnerability that can be exploited to map and leak files. 

Tracked as CVE-2021-41773, the security flaw was discovered by Ash Daulton of the cPanel security team in a change made to path normalization in the server software. 

"An attacker could use a path traversal attack to map URLs to files outside the expected document root," the developers say. "If files outside of the document root are not protected by "Require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts."

Positive Technologies has reproduced the bug and Will Dormann, vulnerability analyst at CERT/CC, says that if the mod-cgi function is enabled on Apache HTTP Server 2.4.49, and the default Require all denied function is missing, then "CVE-2021-41773 is as RCE [remote code execution] as it gets."

CVE-2021-41773 only impacts Apache HTTP Server 2.4.49 as it was introduced in this update and so earlier versions of the software are not impacted. 

Yesterday, Sonatype researchers said that approximately 112,000 Apache servers are running the vulnerable version, with roughly 40% located in the United States. 

The vulnerability was privately reported on September 29 and a fix has been included in version 2.4.50, made available on October 4. It is recommended that users upgrade their software builds as quickly as possible. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0