Apache fixes actively exploited web server zero-day
Catalin Cimpanu October 5, 2021

Apache fixes actively exploited web server zero-day

Apache fixes actively exploited web server zero-day

The Apache Software Foundation has released on Monday a security patch to address a vulnerability in its HTTP Web Server project that has been actively exploited in the wild.

Tracked as CVE-2021-41773, the vulnerability affects only Apache web servers running version 2.4.49 and occurs because of a bug in how the Apache server converts between different URL path schemes (a process called path or URI normalization).

“An attacker could use a path traversal attack to map URLs to files outside the expected document root,” the ASF team said in the Apache HTTP Server 2.4.50 changelog.

“If files outside of the document root are not protected by ‘require all denied‘ these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts,” Apache engineers added.

Attacks exploiting this bug were spotted by Ash Daulton along with the cPanel Security Team, both of which reported the issue to the Apache team.

Hours after the 2.4.50 version was released, several security researchers were able to reproduce the vulnerability and release multiple proof-of-concept exploits on Twitter and GitHub.

Currently, the Apache HTTP Server is either #1 or #2 on the list of today’s most used web servers, with more than 120,000 servers currently exposed online to attacks.

The good news is that not all run the latest version, and administrators can easily mitigate the zero-day attacks by skipping the 2.4.49 version and upgrading to 2.4.50 directly.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.