Apache HTTP Server 2.4.49 vulnerability
Date of Updated Notice: 10/08/2021
Initial Post Date: 10/05/2021
Action Level - Important
Description
Important update: Apache has now found that the fix in 2.4.50 does not fully address this issue and has released 2.4.51 with a complete fix. They recommend updating any servers currently running 2.4.49 or 2.4.50 to fix this actively exploited critical vulnerability. Please see the official Apache site for more information.
MCNC would like to make you aware of an Apache vulnerability affecting version 2.4.49. This vulnerability could allow an attacker to map URLs to files outside the expected document root with a path traversal attack, as well as leak the source of interpreted files like CGI scripts. An external scan of NCREN customer IPs shows a device on your network that appears to be running Apache 2.4.49. As this is known to currently be exploited in the wild, Apache recommends patching as soon as possible.
Affected Device
- Apache 2.4.49
Attack Vector
Attackers with network access to impacted devices.
Attack Feasibility
This has been publicly disclosed and is currently being exploited in the wild.
Mitigations
There are no known mitigations or workarounds to address this vulnerability.
Remediation
Apache has released version 2.4.50 which addresses this as well as one other (lower impact and not currently exploited) vulnerability. Official information on these vulnerabilities and how to update can be found on the Apache HTTP Server Project site.