Apache fixes actively exploited web server zero-day
The Apache Software Foundation has released on Monday a security patch to address a vulnerability in its HTTP Web Server project that has been actively exploited in the wild.
Tracked as CVE-2021-41773, the vulnerability affects only Apache web servers running version 2.4.49 and occurs because of a bug in how the Apache server converts between different URL path schemes (a process called path or URI normalization).
“An attacker could use a path traversal attack to map URLs to files outside the expected document root,” the ASF team said in the Apache HTTP Server 2.4.50 changelog.
“If files outside of the document root are not protected by ‘require all denied‘ these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts,” Apache engineers added.
Attacks exploiting this bug were spotted by Ash Daulton along with the cPanel Security Team, both of which reported the issue to the Apache team.
Hours after the 2.4.50 version was released, several security researchers were able to reproduce the vulnerability and release multiple proof-of-concept exploits on Twitter and GitHub.
The good news is that not all run the latest version, and administrators can easily mitigate the zero-day attacks by skipping the 2.4.49 version and upgrading to 2.4.50 directly.