Apache HTTP Server v2.4.49 and v2.4.50 are affected with two vulnerabilities, where one of them is actively exploited by attackers in the wild already, as per CISA. As the scanning for such vulnerable servers is happening rapidly, experts warn system admins to apply the patch updates immediately.
Apache HTTP Server Vulnerabilities
Earlier this week, Ash Daulton of the cPanel security team found two vulnerabilities in Apache’s HTTP Server v2.4.49, letting an attacker exploit for taking over the systems. Named CVE-2021-41773 & CVE-2021-42013, Apache immediately released an updated version of their software as v2.4.50, but this too has bugs as found by Shungo Kumasaka, Dreamlab Technologies’ Juan Escobar and NULL Life CTF’s Fernando Muñoz. They have created exploits right after finding them and released them to the public for testing. Unfortunately, this triggered many to get their hands on vulnerable Apache servers, including malicious actors. CISA even reported that the latest fixes weren’t sufficient to patch the issue, as they already found attackers exploiting the CVE-2021-41773 vulnerability. Thus, the Apache Software Foundation has now come up with two more fixes to patch the issue and urges everyone to apply them immediately. Several experts quote different figures of exposed Apache HTTP Servers in the wild, with Censys CTO claiming them to be over 21,000 in the wild. Sonatype researchers noted 40% of vulnerable nearly 112,000 Apache servers running the vulnerable version are in the US, whereas Rapid7 Labs quoted 65,000 machines vulnerable to this hack. So, updating to v2.4.50 isn’t enough, as CISA pointed that “an attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.” Applying the latest two fixes is the only solution to mitigate hacks, as security agencies and experts warned.