Skip to main content

Apache HTTP Multiple Vulnerabilities

Last Update Date: 8 Oct 2021 Release Date: 6 Oct 2021 10976 Views

RISK: High Risk

TYPE: Servers - Web Servers

TYPE: Web Servers

Multiple vulnerabilities were identified in Apache HTTP Server, a remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, information disclosure, security restriction bypass  and remote code execution on the targeted system.

 

HKCERT is aware of these vulnerabilities have been reported publicly that they are being exploited in the wild, and encourages users and administrators to review the security update pages for the affected products and apply the related updates as soon as possible.

 

Note:
CVE-2021-41773 is being exploited in the wild.

 

[Updated on 2021-10-07] It was reported by security researcher that exploiting CVE-2021-41773 may trigger remote code execution if "mod-cgi" function is enabled and missing "require all denied" function.

 

[Updated on 2021-10-08] Apache has released patch to address the incomplete fix of CVE-2021-41773. Updated "System / Technologies affected", "Solutions", "Vulnerability Identifier" and "Related Links" sections.


Impact

  • Security Restriction Bypass
  • Denial of Service
  • Information Disclosure
  • Remote Code Execution

System / Technologies affected

  • Apache HTTP Server versions 2.4.49
  • Apache HTTP Server versions 2.4.50 [Updated on 2021-10-08]

Solutions

Before installation of the software, please visit the vendor web-site for more details.

 

Apply fixes issued by the vendor:

  • Apache HTTP Server versions 2.4.51 [Updated on 2021-10-08]

Vulnerability Identifier


Source


Related Link