An actively exploited path traversal and remote code execution vulnerability in the HTTP Server of Apache received a set of additional security updates this Thursday. The main flaw, tracked as CVE-2021-41773, was fixed earlier this week, but Apache Software Foundation released a new patch to address a new vulnerability, tracked as CVE-2021-42013, in the updates of the actively exploited Zero-day.
According to the information that has been revealed, an attacker that targets the CVE-2021-41773 flaw may access and read arbitrary files on a susceptible Apache web servers running version 2.4.49.
A day after the fixes for this vulnerability were made available in version 2.4.50, it was discovered that the provided fix is insufficient and the vulnerability could also be exploited to obtain remote code execution if the “mod cgi” module is loaded and the “require all denied” configuration is missing. This discovery forced Apache to provide further emergency upgrades in a new round.
In its advisory, the company noted that path traversal attacks may be used by an attacker to map URLs to files outside the folders specified by Alias-like directives. Unless files outside these folders have the “require all denied” set as their default protection, these requests can be successful. These aliased paths may even be exploited remotely if CGI scripts are enabled for them.
Due to this vulnerability being a subject of active exploitation, Apache users are strongly advised to upgrade to the most recent version (2.4.51) in order to reduce their exposure to the flaw’s possible exploitation consequences.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is strongly encouraging organizations to get the latest security patch quickly if they have not yet done that, as the agency is registering an ongoing scanning for systems that are vulnerable, which is expected to increase and is likely going to lead to massive exploitation of the flaw.