The recently released 2.4.49 version for the Apache HTTP Web Servers revealed a flaw, which was found in the changes made to the Path Normalisation. The flaw, which was discovered on the 29th of September, is known as CVE-2021-41773, enabled an attacker to use a Path traversal attack to map URLs to files outside the expected document root and request access to them. If these files are not protected by Apache’s “require all denied” function, then these requests can succeed. This gives the attackers access to many sensitive files that would have otherwise been secure.
Apache have been requesting that users update to the latest 2.4.50 version, which introduced a patch to this exploit, as soon as possible as to avoid their data being breached by an attack.
Due to the 2.4.49 version being released not too long ago on the 15th of September 2021, there is concern that many users will have no updated to the latest version.
Apache are urging its users to patch to the latest version immediately, as a Shodan search shows that 111,940 servers are still running on the 2.4.49 version, which means they are still at risk to the attacks.
Apache released the 2.4.50 patch that fixed the flaw on the 4th of October 2021, just 5 days after the issue was discovered on September 29th, however over 100,000 servers are still running the vulnerable version and it is unknown how many victims of the attack there are.
57% of cyberattack victims said that applying a patch would have prevented the cyberattack. 34% say they knew about the vulnerability before the attack. Although patch management can be a major process, it is extremely important for the safety of your customers and your company. Effective patch management will reduce the risk of exposure and cyberattacks to your business. To discuss support options and your needs, contact us for a further conversation.