Newly Disclosed Apache Vulnerability (CVE-2021-41773) Exploited in the Wild

Description

Update 10/8 - IPS section appended with newly available IPS signature.

Update 10/7 - APPENDIX section updated with announcements from Apache and US-CERT on the release of version 2.4.51


FortiGuard Labs is aware that a new Apache vulnerability (CVE-2021-41773) was disclosed by the Apache Software Foundation today. According to the advisory they posted, this vulnerability is being exploited in the wild. A patch was released along with the advisory. Servers that run Apache HTTP Server 2.4.49 with the "require all denied" access control configuration disabled (appears to be the default setting) are vulnerable.


Why is this Significant?

This is significant because Apache HTTP Server is one of the most widely used web servers, and the vulnerability is being actively exploited in the wild. A search on Shodan shows more than 100k servers around the globe are running the vulnerable Apache HTTP server 2.4.49.



What is the New Apache Vulnerability?

The vulnerability (CVE-2021-41773) is a path traversal and file disclosure vulnerability. Because of the flaw, backend or sensitive directories that are normally inaccessible become reachable by using encoded characters for the URLs if not blocked by the "require all denied" access control configuration. Additionally, the vulnerability could leak the source of interpreted files like CGI scripts.


What Versions of Apache HTTP Server are Vulnerable?

Apache HTTP Server 2.4.49 with the "require all denied" access control configuration disabled are vulnerable. It appears that "require all denied" access control configuration is disabled by default.


Has the Vendor Released an Advisory?

Yes, the advisory has been released by the Apache Software Foundation. See the Appendix for a link to "Apache HTTP Server 2.4 vulnerabilities".


Has the Vendor Released a Patch? (Updated on 10/08)

Apache 2.4.51 was released on October 8th, 2021 as the fix for CVE-2021-41773 included in Apache 2.4.50 (released on October 5th) was determined to be insufficient. CVE-2021-42013 was assigned to the newer security flaw associated with the insufficient fix. CVE-2021-42013 affects Apache 2.4.49 and Apache 2.4.50.


What is the Status of Coverage?

IPS coverage is available for CVE-2021-41773 as:

Apache.HTTP.Server.cgi-bin.Path.Traversal (18.173)