Apache has released version 2.4.50 of the HTTP Web server that addresses two vulnerabilities (CVE-2021-41773 and CVE-2021-41524), wherein one of the flaws is discovered to be actively exploited in the wild. The exploitation of the vulnerabilities could allow threat actors to file traversal attacks or perform denial of service on the affected vulnerable servers.

______________________________

A. Nature of the Vulnerabilities

The following vulnerabilities were described as:

CVE-2021-41773

A cross-site scripting (XSS) vuA path traversal vulnerability in Apache HTTP Server version 2.4.49 that could allow unauthorized users to map URLs to files outside the expected document root. This could be done by tricking either the web server or the web application running on it into returning files that exist outside of the web root folder. Successful exploitation could lead to exposure of sensitive directories and files.

CVE-2021-41524

A server-side request forgery (SSRF) vulnerability was discovered in ProxyServlet.java in the /proxy servlet A new null pointer dereference error during HTTP/2 request processing could allow an external source to perform Denial of Service condition by sending specially crafted HTTP requests.

______________________________

B. List of Vulnerable Systems

Vulnerable Apache HTTP Server includes:

  • Apache HTTP – version 2.4.49

______________________________

C. Actions to be Taken

CERT-PH recommends the following actions be taken:

  • Administrators are urged to test and apply the latest and stable version of Apache HTTP Server to mitigate from known security threats.
  • Having a good backup of the system before patching is a good practice, in case there are anomalies and issues encountered.
  • For additional information, kindly refer to the official Advisory of Apache (https://httpd.apache.org/security/vulnerabilities_24.html)

Updates:

08 October 2021

The patch previously published by Apache, version 2.4.50, was identified to have not fully addressed the path traversal vulnerability CVE-2021-41773.

Soon after, Apache released version 2.4.51 fully addressesing the path traversal flaw as well as a newly-discovered remote code execution vulnerability.