The Apache Software Foundation has rushed to release a patch to fix a pair of HTTP web server vulnerabilities, at least one of which is already actively exploited.
Apache’s HTTP server is widely used, and the vulnerabilities, CVE-2021-41524 and CVE-2021-41773, aren’t terrible. The latter, a path traversal and file disclosure flaw, is particularly problematic.
The first was reported to the Apache security team on September 17 and can be exploited by an external source to DoS a server with a specially crafted request. It appeared in version 2.4.49, which was released on September 15, and the Apache team is not aware of any exploits.
The other, a critical data leak bug, was also introduced in 2.4.49. Apache said yesterday that the flaw was reported to the security team on September 29 and a patch was prepared on October 1. The patch was released, along with a fix for the other vulnerability, on October 4 in version 2.4.50.
According to Apache, CVE-2021-41773 allows an attacker “to use a path traversal attack to map URLs to files outside of the expected document root.” If these files are not protected by “require all Denied”, then all sorts of bad things can happen: the request for the file can succeed, the source code for CGI scripts can leak, etc.
The flaw crept in during a change to path normalization in version 2.4.49 of the Apache HTTP server. To be clear, both bugs are only present in version 2.4.49.
The advice, as always, is to patch the affected servers. Criminals are already exploiting one of the holes. Given the new version 2.4.49, few systems will run it and therefore vulnerable.
That said, there are about 113,000 potentially at-risk boxes, some of which are likely honeypots, facing the public internet right now, according to Shodan. ®