Security News > 2021 > October > New Patch Released for Actively Exploited 0-Day Apache Path Traversal to RCE Attacks
The Apache Software Foundation on Thursday released additional security updates for its HTTP Server product to remediate what it says is an "Incomplete fix" for an actively exploited path traversal and remote code execution flaw that it patched earlier this week.
CVE-2021-42013, as the new vulnerability is identified as, builds upon CVE-2021-41773, a flaw that impacted Apache web servers running version 2.4.49 and involved a path normalization bug that could enable an adversary to access and view arbitrary files stored on a vulnerable server.
Although the flaw was addressed by the maintainers in version 2.4.50, a day after the patches were released it became known that the weakness could also be abused to gain remote code execution if the "Mod cgi" module was loaded and the configuration "Require all denied" was absent, prompting Apache to issue another round of emergency updates.
"It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives," the company noted in an advisory.
"If files outside of these directories are not protected by the usual default configuration 'require all denied', these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution."
In light of active exploitation, users are highly recommended to update to the latest version to mitigate the risk associated with the flaw.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/6XEDAQCD1K4/new-patch-released-for-actively.html
Related news
- Exploit released for Fortinet RCE bug used in attacks, patch now (source)
- New Fortinet RCE flaw in SSL VPN likely exploited in attacks (source)
- Alert: CISA Warns of Active 'Roundcube' Email Attacks - Patch Now (source)
- ConnectWise urges ScreenConnect admins to patch critical RCE flaw (source)
- Joomla fixes XSS flaws that could expose sites to RCE attacks (source)
- New ScreenConnect RCE flaw exploited in ransomware attacks (source)
- Microsoft March 2024 Patch Tuesday fixes 60 flaws, 18 RCE bugs (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-10-07 | CVE-2021-42013 | It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. | 9.8 |
2021-10-05 | CVE-2021-41773 | Path Traversal vulnerability in multiple products A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. | 7.5 |