Critical Software Vulnerability Affecting Apache is Being Exploited

Photo of Apache on Mobile

Once again, IT aficionados, developers, and cybersecurity boffins will be interested to know that yet another open-source software vulnerability (among others recently relating to cPanel, Linux distros, and VMware) is causing concerns. The news concerns the very well-known and widely used Apache software, an open-source cross-platform web server software. Apache is used by several large and critical organizations around the world.

Apache themselves have reported a remote code execution (OS Command Injection) critical software vulnerability affecting Apache HTTP Server (daemon) that has been publicly exploited.

What is Apache HTTP Server?

Apache is a cross-platform web server software offered by the Apache Software Foundation. Apache HTTP Server is used for the vast majority of web servers, as well as a key component for high-profile organizations such as Cisco, IBM, AT&T, eBay, and more. Apache HTTPd (HTTP server daemon) “has been the most popular web server on the Internet since April 1996.” A vast amount of websites’ web servers use Apache to this day.

The Exploited Apache Software Vulnerability

On October 7th, 2021 Apache HTTP Server project released information about a software vulnerability affecting Apache HTTP Server. The vulnerability, CVE-2021-42013 (related to the much older and still not completely mitigated 41733) is an OS Command Injection type vulnerability. The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system

According to the U.S. Cybersecurity & Infrastructure Agency (CISA), the Apache vulnerability is being exploited in the wild. The vulnerability was reported by; Juan Escobar from Dreamlab Technologies, Fernando Muñoz from NULL Life CTF Team, Shungo Kumasaka, and Nattapon Jongcharoen.

In-Depth Vulnerability Specifications

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system. The vulnerability exists due to an insufficient fix for the path traversal vulnerability #VU57063 (CVE-2021-41733). A remote unauthenticated attacker can send a specially crafted HTTP request to the affected server and execute arbitrary OS commands on the target system. 

Successful exploitation of this vulnerability may result in the complete compromise of a vulnerable system that has not been updated to the latest Apache HTTP Server release.

Vulnerable Apache HTTP Server Versions

The following Apache HTTP Server software versions are vulnerable;

Apache HTTP Server: 2.4.49, 2.4.50

Update Information For Users

Users should know that a fix has been released that addresses any security issues relating to the public exploit. Apache HTTP Server users should immediately update to release 2.4.51 by clicking here.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.