The discovery of CVE-2021-41773 and CVE-2021-42013 in Apache httpd underscores the importance of keeping server software up to date to protect against potential exploits. By understanding the nature of these vulnerabilities and taking steps to mitigate them, system administrators and organizations can significantly reduce the risk of their servers being compromised.
Beyond updating to a patched version, server administrators can take several steps to mitigate these vulnerabilities:
:
Understanding the Apache HTTPD 2.4.46 Vulnerabilities Apache HTTP Server version 2.4.46, released in August 2020, was intended to fix several security issues but was soon found to be susceptible to a new set of critical and high-severity vulnerabilities. While version 2.4.46 itself addressed previous flaws like (Remote Code Execution in mod_proxy_uwsgi ), it remained the "vulnerable version" for subsequent critical disclosures that weren't fully patched until version 2.4.48. Key Exploits and Vulnerabilities in 2.4.46
GET /icons/.%2e/ HTTP/1.1 Host: vulnerable-server.com apache httpd 2.4.46 exploit
The first vulnerability, CVE-2021-41773, was publicly disclosed in October 2021. This issue arises from a path traversal vulnerability in the Apache HTTP Server. An attacker could exploit this vulnerability by manipulating URLs in a way that accesses files, directories, or other server resources outside the document root. Additionally, under certain configurations, this vulnerability could also lead to a denial of service (DoS) condition.
: A heap-based buffer overflow can be triggered by a specially crafted SessionHeader sent from an origin server. The discovery of CVE-2021-41773 and CVE-2021-42013 in Apache
Users of version 2.4.46 are strongly recommended to , which addresses these vulnerabilities. Official security advisories can be found on the Apache HTTP Server Security page . Apache HTTP Server 2.4 vulnerabilities