On October 05, 2021, The Apache Foundation disclosed a path traversal and file disclosure flaw in Apache HTTP Server versions 2.4.49 and 2.4.50, tracked as CVE-2021-41773 and CVE-2021-42013, respectively, as actively being exploited in the wild. A bad actor could exploit this vulnerability and gain access to database credentials through the web server. This could lead to leaking sensitive content, such as source code, passwords, configuration files, and other confidential information.
These issues only impact Apache HTTP Server versions 2.4.49 and 2.4.50, and a patch is now available. It is recommended that all customers running Apache HTTP Server versions 2.4.49 or 2.4.50 update immediately to Server version 2.4.51.
Alert Logic is not affected by this vulnerability.
With Apache noting that this was already exploited in the wild, and our own Security Research team being able to confirm a remote code execution proof-of-concept, it is recommended that all customers running Apache HTTP Server versions 2.4.49 or 2.4.50 update immediately.
Being tracked as CVE-2021-41773 and CVE-2021-42013, the exploits allow for path traversal, or the tactic of sending requests to map out file and directory structures that would not be normally accessible, to gain unauthorized insight into files outside the expected document root. The source for interpreted files, such as CGI scripts, can also be leaked.
The exploit only affects Apache HTTP Server versions 2.4.49 and 2.4.50, and requires that the “require all denied” access control parameter be disabled. Files that reside outside of the documented root – and that are not protected by a “require all denied” access control – could potentially be exposed.
More information on this vulnerability can be found on Apache's vulnerability disclosure page for HTTP Server 2.4 under the heading, "Fixed in Apache HTTP Server 2.4.51."
Alert Logic Coverage
Vulnerability Scanning: Alert Logic has deployed scan coverage for this vulnerability.
Network IDS: Alert Logic is actively working on deploying new IDS signatures for this vulnerability. Existing IDS signatures have already caught variations of the attack.
Web Application Firewall: By default, WAF provides blocking coverage for this vulnerability.
Log Management: Alert Logic has deployed initial telemetry signatures to aid in detection research. Alert Logic is actively researching this threat to determine whether signatures can be developed to detect attacks.
Recommendations for Mitigation
Apache has released an update for HTTP Server version 2.4.51 on October 04, 2021, that addresses this vulnerability. It is recommended that any customer running Apache HTTP Server versions 2.4.49 and 2.4.50 update immediately.
This section will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click FOLLOW at the top of this article. You must be signed in to the Support Center using your Alert Logic product credentials to follow this article.
10/07/2021: Based on updated guidance from Apache, it is now recommended for customers running HTTP Server versions 2.4.49 and 2.4.50 to upgrade to version 2.4.51.