The Australian Cyber Security Centre has issued a critical alert for the Apache HTTP server, one of Australia’s most widely utilised web servers.
The Australian Cyber Security Centre (ACSC) has issued a critical alert for the Apache HTTP server 2.4.49, with the watchdog warning users that Apache's HTTP is one of Australia’s widest used servers within Unix and Microsoft systems.
According to the ACSC, the loophole is expected to enable criminals to remotely run arbitrary code that can install malware onto the device or access files from “outside of the web server root”.
Media outlet Threat Post reported that 112,000 servers are still using Apache’s exploitable version.
It is expected that the vulnerability enables threat actors to attain code that will enable them to leverage further vectors to maintain continued attacks.
CVE-2021-41773 A flaw was found in a change made to path normalisation in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are ... https://t.co/ElBwCW3B6J— CVE (@CVEnew) October 5, 2021PROMOTED CONTENT
According to Apache, the vulnerability was present within the 2.4.49 update.
“It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives,” Apache said on its website.
“If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.”
The ACSC has recommended that users immediately use the updated Apache HTTP Server patch.