The popular Apache HTTP Server has received an update to patch a directory traversal vulnerability on versions 2.4.49 and 2.4.50, which was originally thought to fix the issue but didn’t.
Administrators should verify affected version and apply updates or mitigations as needed.
Apache announced that it has released 2.4.51 to address an incomplete fix to the directory traversal flaw announced earlier in the week. In addition to the original vulnerability, CVE-2021-41773, they are tracking a new Directory Traversal vulnerability impacting both 2.4.49 and 2.4.50 (CVE-2021-42013).
CISA released an updated advisory and are warning about active scanning and exploit attempts in the wild.
Originally released in 1995, Apache Software Foundation’s prolific HTTP Server serves approximately 25% of the top million websites, according to Netcraft.
A Proof of Concept exploit exists and there are various reports of active exploits in the wild.
The two vulnerabilities, CVE-2021-41773 and CVE-2021-42013, are flaws that allow a user to traverse outside the traditional HTTP server document root (where the web site application files are stored).
If files outside of the document root are not protected by the “require all denied” configuration (this is the application default), the request can succeed.
This allows for an attacker to access the underlying system data, potentially exposing information such as system configuration files or proprietary CGI script source code.
In addition, BleepingComputer is reporting that a PoC exists that is capible of Remote Code Execution (RCE) if CGI support is enabled through mod_cgi.
This issue only affects Apache 2.4.49 and 2.4.50, but not earlier versions. It is recommended you patch Apache HTTP Server to 2.4.51 or above.
It is highly recommended that you ensure “Require All Denied” is configured for your server if possible. Not only is this an effective mitigation for this vulnerability, but it could harden the system against additional path traversal attacks discovered in the future.
The fact that this vulnerability can be effectively mitigated by software configuration shows the importance of hardening servers according to industry best-practices. This is especially important for publicly facing web servers.
NVD Entry CVE-2021-41773
NVD Entry CVE-2021-42013
Apache Release Notes Discussing CVE-2021-41773
BleepingComputer Article Suggesting RCE Possible If CGI Enabled