1. Summary
| Vulnerability Name | Apache HTTP Server Path Traversal Vulnerability (CVE-2021-41773) |
|---|---|
| Release Date | October 5, 2021 |
| Component Name | Apache HTTP Server |
| Affected Versions | Apache HTTP Server 2.4.49 |
| Vulnerability Type | Path Traversal |
| Severity | CVSS v3 Base Score 7.5 (High) |
| Exploitability | Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None |
| Impact | Confidentiality Impact: High Integrity Impact: None Availability Impact: None |
2. About CVE-2021-41773
2.1 Introduction
Apache HTTP Server is an open-source web server, developed by the Apache Foundation. Because of its cross-platform functions and security, it has become one of the most popular web servers in use today. It is fast, reliable and can be extended through a simple API to compile Perl/Python, and other interpreters into the server.
2.2 Summary
On October 5, 2021, Sangfor FarSight Labs received a notice about the Apache HTTP Server path traversal vulnerability (CVE-2021-41773), classified as high severity with a CVSS Score of 7.8.
An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.
Update: The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
3. Affected Versions
Apache HTTP Server 2.4.49
4. Solutions
4.1 Remediation Solutions
4.1.1 Check the Component Version
Enter command httpd -v in the server backend to view the current version.
4.1.2 Solution from Apache
Apache has released a new version to fix the vulnerability. Affected users can download from the following link: https://httpd.apache.org/download.cgi
Update: The fix in Apache HTTP Server 2.4.50 was found to be incomplete, see CVE-2021-42013.
4.2 Sangfor Solutions
4.2.1 Security Monitoring
The following Sangfor products and services perform real-time monitoring of assets affected by the Apache HTTP Server path traversal vulnerability (CVE-2021-41773):
- Sangfor Cyber Guardian (Managed Detection and Response)
- Sangfor Cyber Command (Network Detection and Response)
4.2.2 Security Protection
The following Sangfor products and services provide protection against the Apache HTTP Server path traversal vulnerability (CVE-2021-41773):
5. Timeline
On October 5, 2021, Sangfor FarSight Labs received a notice about the Apache HTTP Server path traversal vulnerability (CVE-2021-41773).
On October 5, 2021, Sangfor FarSight Labs released a vulnerability alert.
On October 8, 2021, Sangfor FarSight Labs updated the vulnerability alert to include advisory relating to CVE-2021-42013.
6. Reference
https://httpd.apache.org/security/vulnerabilities_24.html
https://nvd.nist.gov/vuln/detail/CVE-2021-41773
7. Learn More
Sangfor FarSight Labs researches the latest cyberthreats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyberthreats, providing fast and easy protection for customers.
