Security News > 2021 > October > Apache emergency update fixes incomplete patch for exploited bug

Apache emergency update fixes incomplete patch for exploited bug
2021-10-07 20:35

Apache Software Foundation has released HTTP Web Server 2.4.51 after researchers discovered that a previous security update didn't correctly fix an actively exploited vulnerability.

On Tuesday, Apache released Apache HTTP 2.4.50 to fix an actively exploited path traversal vulnerability in version 2.4.49.

"A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root," disclosed Apache in a security advisory.

With so many servers potentially vulnerable to remote code execution, it became even more critical for admins to update their Apache HTTP servers.

Today, Apache released version 2.4.51 after discovering that their previous fix for the actively exploited CVE-2021-41773 vulnerability was incomplete.

Due to this, it is strongly recommended that admins immediately upgrade their servers to Apache HTTP 2.4.51 to remove any attack vectors left after the previous patch.


News URL

https://www.bleepingcomputer.com/news/security/apache-emergency-update-fixes-incomplete-patch-for-exploited-bug/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-10-05 CVE-2021-41773 Path Traversal vulnerability in multiple products
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49.
network
low complexity
apache fedoraproject oracle netapp CWE-22
7.5

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Apache 281 13 549 713 367 1642