Apache HTTP Multiple Vulnerabilities
RISK: High Risk
TYPE: Servers - Web Servers
Multiple vulnerabilities were identified in Apache HTTP Server, a remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, information disclosure, security restriction bypass and remote code execution on the targeted system.
HKCERT is aware of these vulnerabilities have been reported publicly that they are being exploited in the wild, and encourages users and administrators to review the security update pages for the affected products and apply the related updates as soon as possible.
CVE-2021-41773 is being exploited in the wild.
[Updated on 2021-10-07] It was reported by security researcher that exploiting CVE-2021-41773 may trigger remote code execution if "mod-cgi" function is enabled and missing "require all denied" function.
[Updated on 2021-10-08] Apache has released patch to address the incomplete fix of CVE-2021-41773. Updated "System / Technologies affected", "Solutions", "Vulnerability Identifier" and "Related Links" sections.
- Security Restriction Bypass
- Denial of Service
- Information Disclosure
- Remote Code Execution
System / Technologies affected
- Apache HTTP Server versions 2.4.49
- Apache HTTP Server versions 2.4.50 [Updated on 2021-10-08]
Before installation of the software, please visit the vendor web-site for more details.
Apply fixes issued by the vendor:
- Apache HTTP Server versions 2.4.51 [Updated on 2021-10-08]
- CVE-2021-42013 [Updated on 2021-10-08]