Security News > 2021 > October > Running a recent Apache web server version? You probably need to patch it. Now
The Apache Software Foundation has hurried out a patch to address a pair of HTTP Web Server vulnerabilities, at least one of which is already being actively exploited.
Apache's HTTP Server is widely used, and the vulnerabilities, CVE-2021-41524 and CVE-2021-41773, aren't great.
The former was reported to Apache's security team on 17 September and can be exploited by an external source to DoS a server with a specially crafted request.
It turned up in version 2.4.49, which was released on September 15, and the Apache crew is not aware of any exploit.
Apache said yesterday the flaw was reported to the security team on 29 September and a patch prepared on 1 October.
The flaw crept in during a change made to path normalization in version 2.4.49 of the Apache HTTP Server.
News URL
https://go.theregister.com/feed/www.theregister.com/2021/10/06/apache_web_server_data_patch/
Related news
- Russian security firm Dr.Web disconnects all servers after breach (source)
- CISA warns of actively exploited Apache HugeGraph-Server bug (source)
- Rackspace internal monitoring web servers hit by zero-day (source)
- 'Patch yesterday': Zimbra mail servers under siege through RCE vuln (source)
- Finland seizes servers of 'Sipultie' dark web drugs market (source)
- VMware fixes bad patch for critical vCenter Server RCE flaw (source)
- Ransomware hits web hosting servers via vulnerable CyberPanel instances (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-10-05 | CVE-2021-41773 | Path Traversal vulnerability in multiple products A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. | 7.5 |
| 2021-10-05 | CVE-2021-41524 | NULL Pointer Dereference vulnerability in multiple products While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. | 7.5 |