6 October 2021

Apache fixes web server zero-day actively exploited in the wild


Apache fixes web server zero-day actively exploited in the wild

The Apache Software Foundation has released a security update to address a zero-day in the Apache HTTP Server actively exploited by hackers.

Tracked as CVE-2021-41773, the issue is a path traversal vulnerability that exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, the bug could leak the source of interpreted files like CGI scripts.

CVE-2021-41773 affects Apache HTTP Server 2.4.49.

Apache has also resolved a NULL pointer dereference issue (CVE-2021-41524) impacting Apache HTTP Server 2.4.49. The bug stems from a NULL pointer dereference error when processing HTTP/2 requests and allows a remote attacker to perform DoS (denial-of-service) attack.

Back to the list

Latest Posts

LightBasin hackers compromised 13 global telecoms in just two years

LightBasin hackers compromised 13 global telecoms in just two years

LightBasin is active since at least 2016 and is focused on Linux and Solaris servers, only interacting with Windows systems as needed.
20 October 2021
Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Attempted attacks come days after a massive ransomware attack on Hillel Yaffe Medical Center, attributed to the DeepBlueMagic group.
19 October 2021
State-sponsored hackers target orgs in South Asia with custom backdoor

State-sponsored hackers target orgs in South Asia with custom backdoor

Harvester has been observed using both custom malware and publicly available tools, such as Cobalt Strike Beacon and Metasploit, in their attacks.
19 October 2021