10.05.2021

Apache HTTP Server 2.4.49 vulnerability

Alert
  • facebook share link
  • twitter share link
  • linkedin share link
  • mail share link

Date of Updated Notice: 10/08/2021

Initial Post Date: 10/05/2021

Action Level - Important

Description

Important update: Apache has now found that the fix in 2.4.50 does not fully address this issue and has released 2.4.51 with a complete fix. They recommend updating any servers currently running 2.4.49 or 2.4.50 to fix this actively exploited critical vulnerability. Please see the official Apache site for more information.

MCNC would like to make you aware of an Apache vulnerability affecting version 2.4.49. This vulnerability could allow an attacker to map URLs to files outside the expected document root with a path traversal attack, as well as leak the source of interpreted files like CGI scripts. An external scan of NCREN customer IPs shows a device on your network that appears to be running Apache 2.4.49. As this is known to currently be exploited in the wild, Apache recommends patching as soon as possible. 

Affected Device

  • Apache 2.4.49

Attack Vector

Attackers with network access to impacted devices.

Attack Feasibility

This has been publicly disclosed and is currently being exploited in the wild.

Mitigations

There are no known mitigations or workarounds to address this vulnerability.

Remediation

Apache has released version 2.4.50 which addresses this as well as one other (lower impact and not currently exploited) vulnerability. Official information on these vulnerabilities and how to update can be found on the Apache HTTP Server Project site.

MCNC
PO Box 12889
3021 East Cornwallis Road
RTP, NC 27709-2889
919-248-1900 Phone | 919-248-1101 Fax
Connect With Us
  • linkedin
  • instagram
  • x
  • facebook
  • youtube
© 2024 MCNC