Security News > 2021 > October > Apache web server zero-day bug is easy to exploit – patch now!
The venerable Apache web server has just been updated to fix a dangerous remote code execution bug.
This bug is already both widely-known and trivial to exploit, with examples now circulating freely on Twitter, and a single, innocent-looking web request aimed at your server could be enough for an attacker to take it over completely.
Any software product you use that has its own HTTP interface, such as a document management system or a support ticketing system, might, for all you know, be using Apache as its built-in web server.
Simply put, a path traversal bug happens when a user tries to access a file on the server that ought to be considered off-limits, but the security check on the location of the file fails.
All security conscious software, especially including web servers, needs to be on the lookout for this sort of trickery.
Initial reports correctly implied that this bug was exploitable for reading files that were off-limits, including files outside the web server's own directory tree, as well as script files inside the server tree that were not supposed to be directly accessible.
News URL
Related news
- Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks (source)
- ⚡ THN Weekly Recap: Alerts on Zero-Day Exploits, AI Breaches, and Crypto Heists (source)
- Microsoft March 2025 Patch Tuesday fixes 7 zero-days, 57 flaws (source)
- Choose your own Patch Tuesday adventure: Start with six zero day fixes, or six critical flaws (source)
- Apple Releases Patch for WebKit Zero-Day Vulnerability Exploited in Targeted Attacks (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
- APTs have been using zero-day Windows shortcut exploit for eight years (ZDI-CAN-25373) (source)
- Stealthy Apache Tomcat Critical Exploit Bypasses Security Filters: Are You at Risk? (source)
- Veeam RCE bug lets domain users hack backup servers, patch now (source)
- New Windows zero-day leaks NTLM hashes, gets unofficial patch (source)