Apache fixed an actively exploited zero-day vulnerability

The Apache Software Foundation released a patch to address a zero-day vulnerability in the HTTP Web Server, that is being exploited.

The world’s one of the most popular web servers, Apache HTTP Server was exposed to online attacks with a zero-day vulnerability. Users were urged to upgrade to 2.4.50 directly by skipping the 2.4.49 if it is not installed yet. The vulnerability, tracked as CVE-2021-41773, was reported to the Apache team by Ash Daulton and cPanel Security Team.

Path traversal and subsequent file disclosure

Apache issued a security advisory about the bug, which is currently under attack in the wild, and stated that it could allow third parties to access sensitive information. The CVE-2021-41773 could allow path traversal and subsequent file disclosure. Path traversal allows unauthorized third parties to access files on the Apache HTTP server. The flaw only affects version 2.4.49.

The flaw can also expose the source of interpreted files, including CGI scripts, which includes sensitive information allowing third parties to exploit for further attacks. Users can protect themselves against the attacks by upgrading to the latest version, 2.4.50. Researchers also stated that “require all denied” should be the default for protecting the documents outside of the webroot. Apache’s security advisory states,

“While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request.

The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.”