The Apache Software Foundation issued more security upgrades for its HTTP Server product on Thursday to address what it calls an “incomplete remedy” for an actively exploited path traversal and remote code execution weakness it fixed earlier this week.
The new vulnerability, designated CVE-2021-42013, is a follow-up to CVE-2021-41773, a vulnerability that affected Apache web servers running version 2.4.49 and featured a path normalization error that allowed an attacker to access and read arbitrary files stored on a susceptible server.
Although the vulnerability was acknowledged in version 2.4.50, it was found a day after the release of patches that it could also be exploited to gain remote code execution if the “mod cgi” module was loaded and the “require all denied” configuration was missing, prompting Apache to issue another round of emergency updates.
The patch for CVE-2021-41773 in Apache HTTP Server 2.4.50 was judged to be inadequate. According to the firm, an attacker may perform a path traversal attack to map URLs to files outside the folders defined by Alias-like directives.
These requests may succeed if files outside these folders are not protected by the default configuration of ‘require all denied.’ If CGI scripts are enabled for specific aliased paths, remote code execution may be possible.
The vulnerability was reported by Juan Escobar of Dreamlab Technologies, Fernando Muoz of NULL Life CTF Team, and Shungo Kumasaka of Shungo Kumasaka. Users should update to the version (2.4.51) in light of active exploitation to reduce the risk associated with the vulnerability.
CISA stated that ongoing scanning of susceptible systems is expected to escalate, possibly leading to exploitation, encouraging organizations to patch soon if they haven’t already.
“CISA is also seeing ongoing scanning of vulnerable systems, which is expected to accelerate, likely leading to exploitation. CISA urges organizations to patch immediately if they haven’t already—this cannot wait until after the holiday weekend,” CISA said.