SBN

Apache Servers Actively Exploited in the Wild, and the Importance of Prompt Patching

Yesterday, I reported that Apache Airflow servers that belonged to dozens of popular tech firms had not been patched. These servers, most of which were still running the 2015 version of the workflow management platform, Airflow, were caught leaking thousands of credentials and configuration secrets by researchers at Intezer, due to lax configuration and security practices.

Most of these issues could have been avoided by simply upgrading Airflow to version 2, which comes with extensive improvements and security enhancements.

While that was already an important lesson in why you should update versions promptly, an even bigger issue emerged today. Apache has disclosed what some cybersecurity experts have called “a nasty 0-day path traversal” in HTTP server version 2.4.49.

Zero-day actively exploited in the wild

Tracked as CVE-2021-41773, the vulnerability is the result of an incomplete path normalization logic implemented in the Apache HTTP server 2.4.49 that in turn introduced a vulnerability. Unfortunately, the vulnerability was exploited in the wild before it was reported to the Apache project, making it a zero-day.

Although the issue only impacts web servers running Apache “httpd” v2.4.49 and not earlier versions, Shodan search results show there are over 112,000 Apache servers across the globe running that version, with about 40% located in the U.S.:

Apache servers across the globe running the vunerable “httpd” v2.4.49 version

“An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts,” reads Apache’s security advisory.

Ash Daulton along with the cPanel Security Team reported the vulnerability to Apache on September 29th, with Apache releasing a fixed release 2.4.50 on October (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: https://blog.sonatype.com/apache-servers-actively-exploited-in-wild-importance-of-prompt-patching