Apache has released fixes for two security flaws in its HTTP server, including a path traversal and file disclosure weakness. According to the company, it is exploited aggressively in the wild.
In an advisory released on Tuesday, the open-source project’s maintainers stated that in Apache HTTP Server 2.4.49, a vulnerability was discovered in a modification to path normalization. An attacker might map URLs to files beyond the intended document root via a path traversal attack:
“While fuzzing the 2.4.49 httpd, a new null pointer dereference was detected during HTTP/2 request processing, allowing an external source to DoS the server. This requires a specially crafted request. The vulnerability was recently introduced in version 2.4.49. No exploit is known to the project.”
The statement continues with their views stating that these requests can execute if files beyond the document root are not secured by ‘require all denied.’ Moreover, this vulnerability might also expose the source of interpreted files, such as CGI scripts.
“An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild,” the advisory goes on.
This new vulnerability is tracked as CVE-2021-41773. Only the Apache HTTP server version 2.4.49 is affected by this flaw. This issue surfaced on September 29, 2021, and the credit for finding and reporting it goes to Ash Daulton and cPanel Security Team.
In addition to this vulnerability, another fix from Apache is a null pointer deference vulnerability discovered while processing HTTP/2 requests, which allows an attacker to launch a denial-of-service (DoS) attack on the server. The flaw was first present in version 2.4.49, according to the non-profit organization.
To limit the path traversal vulnerability and reduce any risk associated with active exploitation of the issue, experts strongly advise Apache users to patch their web servers as soon as feasible.