Apache fixes actively exploited web server zero-day
The Apache Software Foundation has released on Monday a security patch to address a vulnerability in its HTTP Web Server project that has been actively exploited in the wild.
Tracked as CVE-2021-41773, the vulnerability affects only Apache web servers running version 2.4.49 and occurs because of a bug in how the Apache server converts between different URL path schemes (a process called path or URI normalization).
"An attacker could use a path traversal attack to map URLs to files outside the expected document root," the ASF team said in the Apache HTTP Server 2.4.50 changelog.
"If files outside of the document root are not protected by 'require all denied' these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts," Apache engineers added.
Attacks exploiting this bug were spotted by Ash Daulton along with the cPanel Security Team, both of which reported the issue to the Apache team.
Hours after the 2.4.50 version was released, several security researchers were able to reproduce the vulnerability and release multiple proof-of-concept exploits on Twitter and GitHub.
We have reproduced the fresh CVE-2021-41773 Path Traversal vulnerability in Apache 2.4.49.— PT SWARM (@ptswarm) October 5, 2021
If files outside of the document root are not protected by "require all denied" these requests can succeed.
Patch ASAP! https://t.co/6JrbayDbqG pic.twitter.com/AnsaJszPTE
The good news is that not all run the latest version, and administrators can easily mitigate the zero-day attacks by skipping the 2.4.49 version and upgrading to 2.4.50 directly.
Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.