The Apache Software Foundation dispatched a patch to correct a pair of HTTP web server vulnerabilities, at least one of which is already actively exploited.
The first was reported to Apache’s security team on September 17 and can be exploited by a source outside of a server’s DoS with a specially crafted request. It appeared in version 2.4.49, released on September 15, and the Apache team is not aware of any exploits.
The other, a critical data leak bug, was also introduced in version 2.4.49. Apache said yesterday the flaw was reported to the security team on September 29 and a fix was prepared on October 1. The patch was released, along with a patch for the other vulnerability, on October 4 in version 2.4.50.
According to Apache, CVE-2021-41773 allows an attacker to “use a path traversal attack to map URLs to files outside of the expected document root”. If these files are not protected by “request all denied”, then all kinds of bad things can happen: the file request can be successful, the source code of CGI scripts can leak, and so on.
The flaw crept in during a change made to the normalization of paths in version 2.4.49 of the Apache HTTP server. To be clear, the two bugs are present in 2.4.49 only.
The advice, as always, is to fix the affected servers. Disbelievers are already exploiting one of the holes. Considering the new version 2.4.49, few systems will run it and therefore be vulnerable.
That said, there are around 113,000 potentially risky boxes, some of which are likely honeypots, facing the public internet right now, according to Shodan. ®