The Apache developers warned that they failed to fix the 0-day vulnerability CVE-2021-41773 the first time. Let me remind you that this problem became known last week: it was reported that the vulnerability is already being exploited by hackers, and it allows a path traversal attack by matching URLs with files outside the expected document root. As a result, such an attack could lead to leakage of CGI scripts and more.
But soon after the release of the patch, information security specialists started talking about the fact that the problem could be much more serious, although it was initially classified incorrectly. Experts reported that the bug can also be used to remotely execute arbitrary code, and the fix provided by Apache may not be effective.
As it turns out, the experts were right: the Apache developers updated their HTTP webserver to version 2.4.51 and reported that the previous patch for CVE-2021-41773 was indeed incomplete. The new attack vector, which the researchers warned about, received its own identifier – CVE-2021-42013.
According to IoT search engine Shodan, the number of servers running Apache version 2.4.50 is currently about 12,000, but only about 1,600 have been updated to the latest version 2.4.51. Alas, this fact did not go unnoticed by cybercriminals, and US-CERT warns that hackers are already actively using the problem.
Catch up on more stories here
Follow us on Facebook here