Emergency update to address zero-day vulnerability in Apache HTTP Server

Apache HTTP Server Project developers announced the release of an update to address a recently discovered zero-day vulnerability after releasing an incomplete update. Tracked as CVE-2021-41773, the flaw can be exploited in order to execute remote code.

Apache HTTP Server 2.4.50 included a patch to address CVE-2021-41773, but the fix was not enough. Therefore, the flaw received another identifier and another update was released that includes the complete fix

When the flaw was revealed, there were approximately 112,000 potentially vulnerable servers running the affected version of Apache HTTP 2.4.49. The number of servers running version 2.4.50 is currently 12,000, and only about 1,600 have been upgraded to version 2.4.51, according to data collected by Shodan.

The proof-of-concept (PoC) exploit was revealed shortly after the public disclosure of the flaw, so all sorts of firms have begun to detect all kinds of active exploitation attempts.

In this regard, a Cisco Talos report describes the flaw as a path traversal error that focuses on two specific paths: /etc/passwd and /bin/sh. Threat actors could try to take advantage of this to access credentials or gain direct access to a shell.

There is still no accurate information about the date on which the attacks began, although Cisco Talos mentions that the flaw would have already been exploited by the time version 2.4.50 was released in early October. On the other hand, experts from the security firm GreyNoise report having detected the first attempts to exploit CVE-2021-41733 on October 3.

This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) asked organizations to update their implementations immediately, recommending against ignoring security recommendations in order to mitigate the risk of exploitation.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.