Organizations urged to immediately patch Apache zero day

Published 10/13/21, 9:00am

Industry security experts are urging organizations that use the Apache Software Foundation’s HTTP Server to immediately update their systems to version 2.4.51. Apache issued an update (version 2.4.50) last week but found that the fix was insufficient to correct a newly discovered vulnerability being actively exploited in the wild. The zero-day vulnerability (initially tracked as CVE-2021-41773 and by CVE-2021-42013 in version 2.4.51) allows threat actors to launch a path traversal attack by mapping URLS to files outside the expected document root.

Security researchers estimate that there are more than one hundred thousand Apache HTTP Servers running 2.4.49 and 2.4.50 operating worldwide, although not all are at risk. The success of the exploit depends on several factors including enabling the “mod-cgi” and the default “Require all denied” option in the configuration.

The second critical vulnerability (tracked as CVE-2021-41524), while not currently being exploited, could enable a denial of service (DoS) attack on the server.

Next Steps

GuidePoint Security reminds organizations that no software is perfect, and vulnerabilities will be discovered in the software’s coding. Threat actors often leverage these vulnerabilities to distribute threats and conduct attacks, including ransomware. To help manage the large number of vulnerabilities and zero-days discovered and exploited almost daily, organizations are urged to consider vulnerability management as a service (VMaaS).