The developers of the Apache HTTP Server Project urge users to immediately apply a patch to address a zero-day vulnerability.
According to a security advisory on October 5, attackers have been known to actively exploit the bug.
A “path traversal” vulnerability
Apache HTTP Server is a popular open source project that aims to develop HTTP server software suitable for operating systems, including UNIX and Windows.
Apache HTTP server version 2.4.49 fixes a large number of security vulnerabilities, including a validation bypass error, a NULL pointer dereference, a denial of service issue, and a severe server-side request vulnerability (SSRF ). Falsification).
However, the update also inadvertently introduced a separate and critical issue: a “path traversal” vulnerability, which can be exploited to map and reveal files.
Remote code execution
Listed as CVE-2021-41773, the security vulnerability was discovered by Ash Daulton of the cPanel security team during a change in path standardization in server software.
“An attacker could use this attack to map URLs to files outside of the expected document root,” say the developers. “If files outside the document root are not protected by the ‘Require all denied’ setting, these requests may be successful. Also, this flaw could allow source filtering of files interpreted as CGI scripts. “
Positive Technologies reproduced the bug and Will Dormann, Vulnerability Analyst at CERT / CC, explains that if the mod-cgi feature is enabled on the Apache 2.4.49 HTTP server and the default Require all Denied feature is missing, then “CVE-2021 – 41773 also allows remote code execution “.
A patch available from October 4
CVE-2021-41773 only affects the Apache 2.4.49 HTTP server because it was introduced in this update and therefore older versions of the software are not affected.
This Tuesday, researchers from the Sonatype company indicated that approximately 112,000 Apache servers use the vulnerable version, of which approximately 40% are in the United States.
The vulnerability was privately reported on September 29, and a patch was included in version 2.4.50, which was released on October 4. It is recommended that users update their software versions as soon as possible.
Woodmart Theme Nulled, WP Reset Pro, Newspaper 11.2, Newspaper – News & WooCommerce WordPress Theme, Premium Addons for Elementor, Rank Math Seo Pro Weadown, WeaPlay, WordPress Theme, Plugins, PHP Script, Jannah Nulled, Elementor Pro Weadown, Woocommerce Custom Product Ad, Business Consulting Nulled, Jnews 8.1.0 Nulled, Avada 7.4 Nulled, Nulledfire, Dokan Pro Nulled, Yoast Nulled, Flatsome Nulled, PW WooCommerce Gift Cards Pro Nulled, Astra Pro Nulled, Woodmart Theme Nulled, Slider Revolution Nulled, Wordfence Premium Nulled, Elementor Pro Weadown, Wpml Nulled, Consulting 6.1.4 Nulled, Fs Poster Plugin Nulled