Web admins told to upgrade (once again) to latest version
A patch that was released to fix a path traversal bug in Apache HTTP Server is insufficient in protecting against the vulnerability and could allow for remote code execution (RCE).
As previously reported by The Daily Swig, the high-impact vulnerability was thought to have been fixed in Apache Server version 2.4.50, which was released earlier this week.
However not only did the update fail to resolve the issue, developers of the software are also now warning it presents a bigger security issue than previously thought.
In a security advisory, the team behind Apache HTTP Server revealed that the update does not protect against a critical RCE bug, which is being exploited in the wild.
The blog post reads: “It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient.
“An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives.
“If files outside of these directories are not protected by the usual default configuration ‘require all denied’, these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.”
A September update to Apache HTTP Server 2.4 was released to address a number of issues including server-side request forgery (SSRF) and request smuggling bugs.
These were patched in version 2.4.49, however the update also introduced a new vulnerability when a flaw was found in changes made to the path normalization process.
This new issue allowed an attacker to use a path traversal attack to map URLs to files outside the expected document root.
Apache patched the issue in version 2.4.50, but this update was later determined not to be sufficient.
The developers then released the latest update 2.4.51 that addresses the path traversal bug as well as a newly-discovered RCE vulnerability.
‘Update cannot wait’
The US Cybersecurity and Infrastructure Security Agency (CISA) told web admins to update against the vulnerability and warned: “Please patch immediately if you haven’t already – this cannot wait until after the weekend.”
The federal agency added: “CISA is also seeing ongoing scanning of vulnerable systems, which is expected to accelerate, likely leading to exploitation.”
Web admins are urged to update to version 2.4.51 which can be found in the Apache advisory.
Source: The Daily Swig