The Apache Software program Basis on Thursday launched extra safety updates for its HTTP Server product to remediate what it says is an “incomplete repair” for anpath traversal and distant code execution flaw that it patched earlier this week.
, as the brand new vulnerability is recognized as, builds upon , a flaw that impacted Apache net servers operating model 2.4.49 and concerned a bug that would allow an adversary to entry and think about arbitrary information saved on a weak server.
Though the flaw was addressed by the maintainers in model 2.4.50, a day after the patches had been launched it grew to become identified that the weak point is also abused to achieve distant code execution if the “mod_cgi” module was loaded and the configuration “require all denied” was absent, prompting Apache to concern one other spherical of emergency updates.
“It was discovered that the repair for CVE-2021-41773 in Apache HTTP Server 2.4.50 was inadequate. An attacker may use a path traversal assault to map URLs to information outdoors the directories configured by Alias-like directives,” the corporatein an advisory. “If information outdoors of those directories are usually not protected by the same old default configuration ‘require all denied’, these requests can succeed. If CGI scripts are additionally enabled for these aliased paths, this might enable for distant code execution.”
Apache credited Juan Escobar from Dreamlab Applied sciences, Fernando Muñoz from NULL Life CTF Staff, and Shungo Kumasaka for reporting the vulnerability. In gentle of energetic exploitation, customers are extremely really useful to replace to the most recent model (2.4.51) to mitigate the chance related to the flaw.
The U.S. Cybersecurity and Infrastructure Safety Company (CISA)it is “seeing ongoing scanning of weak programs, which is anticipated to speed up, probably resulting in exploitation,” urging “organizations to patch instantly in the event that they have not already.”