Once again, IT aficionados, developers, and cybersecurity boffins will be interested to know that yet another open-source software vulnerability (among others recently relating to cPanel, Linux distros, and VMware) is causing concerns. The news concerns the very well-known and widely used Apache software, an open-source cross-platform web server software. Apache is used by several large and critical organizations around the world.
Apache themselves have reported a remote code execution (OS Command Injection) critical software vulnerability affecting Apache HTTP Server (daemon) that has been publicly exploited.
What is Apache HTTP Server?
Apache is a cross-platform web server software offered by the Apache Software Foundation. Apache HTTP Server is used for the vast majority of web servers, as well as a key component for high-profile organizations such as Cisco, IBM, AT&T, eBay, and more. Apache HTTPd (HTTP server daemon) “has been the most popular web server on the Internet since April 1996.” A vast amount of websites’ web servers use Apache to this day.
The Exploited Apache Software Vulnerability
On October 7th, 2021 Apache HTTP Server project released information about a software vulnerability affecting Apache HTTP Server. The vulnerability, CVE-2021-42013 (related to the much older and still not completely mitigated 41733) is an OS Command Injection type vulnerability. The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
According to the U.S. Cybersecurity & Infrastructure Agency (CISA), the Apache vulnerability is being exploited in the wild. The vulnerability was reported by; Juan Escobar from Dreamlab Technologies, Fernando Muñoz from NULL Life CTF Team, Shungo Kumasaka, and Nattapon Jongcharoen.
In-Depth Vulnerability Specifications
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system. The vulnerability exists due to an insufficient fix for the path traversal vulnerability #VU57063 (CVE-2021-41733). A remote unauthenticated attacker can send a specially crafted HTTP request to the affected server and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in the complete compromise of a vulnerable system that has not been updated to the latest Apache HTTP Server release.
Vulnerable Apache HTTP Server Versions
The following Apache HTTP Server software versions are vulnerable;
Apache HTTP Server: 2.4.49, 2.4.50
Update Information For Users
Users should know that a fix has been released that addresses any security issues relating to the public exploit. Apache HTTP Server users should immediately update to release 2.4.51 by clicking here.