The Apache Software program Basis on Thursday launched further safety updates for its HTTP Server product to remediate what it says is an “incomplete repair” for an actively exploited path traversal and distant code execution flaw that it patched earlier this week.
CVE-2021-42013, as the brand new vulnerability is recognized as, builds upon CVE-2021-41773, a flaw that impacted Apache net servers operating model 2.4.49 and concerned a path normalization bug that would allow an adversary to entry and look at arbitrary recordsdata saved on a susceptible server.
Though the flaw was addressed by the maintainers in model 2.4.50, a day after the patches had been launched it grew to become identified that the weak spot is also abused to realize distant code execution if the “mod_cgi” module was loaded and the configuration “require all denied” was absent, prompting Apache to subject one other spherical of emergency updates.
“It was discovered that the repair for CVE-2021-41773 in Apache HTTP Server 2.4.50 was inadequate. An attacker might use a path traversal assault to map URLs to recordsdata exterior the directories configured by Alias-like directives,” the corporate famous in an advisory. “If recordsdata exterior of those directories usually are not protected by the standard default configuration ‘require all denied’, these requests can succeed. If CGI scripts are additionally enabled for these aliased paths, this might permit for distant code execution.”
Apache credited Juan Escobar from Dreamlab Applied sciences, Fernando Muñoz from NULL Life CTF Group, and Shungo Kumasaka for reporting the vulnerability. In mild of lively exploitation, customers are extremely advisable to replace to the newest model (2.4.51) to mitigate the danger related to the flaw.
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) stated it is “seeing ongoing scanning of susceptible programs, which is anticipated to speed up, probably resulting in exploitation,” urging “organizations to patch instantly in the event that they have not already.”