The Apache Software Foundation hastened to patch several vulnerabilities in an HTTP web server, at least one of which is already in active use.
Apache’s HTTP server is widely used and vulnerabilities CVE-2021-41524 and CVE-2021-41773, are not great. The latter, road crawling and file discovery flaw, is particularly problematic.
The first was reported to the Apache security team on September 17 and can be used by an external source DoS server with a specially crafted query. It appeared in version 2.4.49, which was released on September 15, and the Apache crew does not know of any exploits.
The other, critical data leakage error was also introduced in version 2.4.49. Apache said yesterday the deficiency was reported to the security team on 29 September and a patch prepared on 1 October. The fix was released, along with a fix for another vulnerability, on October 4 in version 2.4.50.
According to Apache, CVE-2021-41773 allows an attacker to “use a cross-path attack to map URLs to files beyond the expected root of the document.” If these files are not protected with a “requirement of all rejected”, then all sorts of bad things can happen: the file request may succeed, the source code to the CGI scripts may expire, and so on.
The flaw came during a change in path normalization in version 2.4.49 of the Apache HTTP server. To be clear, both bugs are present only in 2.4.49.
The advice, as always, is to patch the affected servers. Enemies are already exploiting one of the holes. Given the new version 2.4.49, not too many systems will work and therefore vulnerable.
This means that there are about 113,000 potentially endangered boxes, some of which are probably honey, that are currently facing the public internet, according to Shodan. ®