Apache Patches Zero Day Vulnerability
Apache has issued fixes two security vulnerabilities, including a path traversal and file disclosure flaw in its HTTP server that is being actively exploited in the wild. The flaw, tracked as CVE-2021-41773, affects only Apache HTTP server version 2.4.49. Also resolved is a null pointer dereference vulnerability while processing HTTP/2 requests, which gives hacker can use to create a denial-of-service (DoS) attack on the server. Apache said the weakness was introduced in version 2.4.49.
There are about 110,000 vulnerable servers running the affected HTTP Server 2.4.49 version. The number of servers running version 2.4.50 is currently at 12,000, and only about 1,600 have been updated to version 2.4.51. The flaw does not affect previous Apache Server versions or those with a different access configuration.
Path traversal attacks involve sending requests to access backend or sensitive server directories that should be out of reach. Normally, these requests are blocked, but in this case, the filters are bypassed by using encoded characters (ASCII) for the URLs. If files outside of the document root are not protected by require all denied, these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. For the attack to work, the target has have Apache HTTP Server 2.4.49, and also has to have the require all denied access control parameter disabled. Unfortunately, this is the default configuration.
In general, the best protection for your devices is to keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks.