Apache HTTP Server Project patches exploited zero-day vulnerability | ZDNet

Developers behind the Apache HTTP Server Project are urging users to apply a fix immediately to resolve a zero-day vulnerability. 

According to a security advisory dated October 5, the bug is known to be actively exploited in the wild. 

Apache HTTP Server is a popular open source project focused on the development of HTTP server software suitable for operating systems including UNIX and Windows.

The release of Apache HTTP Server version 2.4.49 fixed a slew of security flaws including a validation bypass bug, NULL pointer dereference, a denial-of-service issue, and a severe Server-Side Request Forgery (SSRF) vulnerability. 

However, the update also inadvertently introduced a separate, critical issue: a path traversal vulnerability that can be exploited to map and leak files. 

Tracked as CVE-2021-41773, the security flaw was discovered by Ash Daulton of the cPanel security team in a change made to path normalization in the server software. 

“An attacker could use a path traversal attack to map URLs to files outside the expected document root,” the developers say. “If files outside of the document root are not protected by “Require all denied” these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.”

Positive Technologies has reproduced the bug and Will Dormann, vulnerability analyst at CERT/CC, says that if the mod-cgi function is enabled on Apache HTTP Server 2.4.49, and the default Require all denied function is missing, then “CVE-2021-41773 is as RCE [remote code execution] as it gets.”

CVE-2021-41773 only impacts Apache HTTP Server 2.4.49 as it was introduced in this update and so earlier versions of the software are not impacted. 

Yesterday, Sonatype researchers said that approximately 112,000 Apache servers are running the vulnerable version, with roughly 40% located in the United States. 

The vulnerability was privately reported on September 29 and a fix has been included in version 2.4.50, made available on October 4. It is recommended that users upgrade their software builds as quickly as possible. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


For all the latest Technology News Click Here 

 For the latest news and updates, follow us on Google News

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.