Apache HTTP server update fails to override path traversal, RCE bugs
Web admins asked to upgrade (again) to the latest version
A patch that was released to correct a path traversal bug in Apache HTTP Server is insufficient to protect against the vulnerability and could allow remote code execution (RCE).
As previously stated by The daily sip, the high impact vulnerability was believed to have been fixed in version 2.4.50 of the Apache server, released earlier this week.
However, not only did the update fail to fix the issue, the developers of the software also warn that it has a bigger security issue than previously thought.
READ MORE Fixed Apache HTTP server development issue for critical data leak vulnerability – update now
In a security notice, the team behind Apache HTTP Server revealed that the update does not protect against a critical RCE bug, which is exploited in the wild.
The blog post reads: âThe patch for CVE-2021-41773 in Apache HTTP Server 2.4.50 was found to be insufficient.
âAn attacker could use a path traversal attack to map URLs to files outside of directories configured by Alias ââtype directives.
“If files outside of these directories are not protected by the usual ‘request all denied’ default configuration, these requests may be successful.” If CGI scripts are also enabled for these alias paths, it could allow remote code execution.
A September update to Apache HTTP Server 2.4 was released to address a number of issues, including server-side request forgery (SSRF) and request smuggling bugs.
These were fixed in version 2.4.49, but the update also introduced a new vulnerability when a flaw was found in changes to the path normalization process.
This new issue allowed an attacker to use a path traversal attack to map URLs to files outside of the expected document root.
DO NOT MISS Developers fix a multitude of vulnerabilities in Apache HTTP Server
Apache fixed the problem in version 2.4.50, but this update was later deemed insufficient.
The developers then released the latest update 2.4.51 which fixes the traversal bug as well as a recently discovered RCE vulnerability.
“The update can’t wait”
US Agency for Cyber ââSecurity and Infrastructure Security (CISA) told web administrators to update against the vulnerability and warned: “Please fix immediately if you haven’t already – this can’t wait after the weekend.” “
The federal agency added, “CISA is also seeing continued analysis of vulnerable systems, which is expected to accelerate, possibly leading to exploitation.”
Web administrators are encouraged to update to version 2.4.51 which can be found in the Apache advisory.
YOU MAY LIKE Twitch Breach Leaks Source Code and Streamer Revenue Data