Running a recent Apache web server version? You probably need to patch it. Now

The Apache Software Foundation has hurried out a patch to address a pair of HTTP Web Server vulnerabilities, at least one of which is already being actively exploited.

Apache's HTTP Server is widely used, and the vulnerabilities, CVE-2021-41524 and CVE-2021-41773, aren't great. The latter, a path traversal and file disclosure flaw, is particularly problematic.

The former was reported to Apache's security team on 17 September and can be exploited by an external source to DoS a server with a specially crafted request. It turned up in version 2.4.49, which was released on September 15, and the Apache crew is not aware of any exploit.

The other, a critical data leak bug, was also introduced in version 2.4.49. Apache said yesterday the flaw was reported to the security team on 29 September and a patch prepared on 1 October. The fix was released, along with a fix for the other vulnerability, on 4 October in version 2.4.50.

• ALPACA gnaws through TLS protection to snarf cookies and steal data
• Update on PHP source code compromise: User database leak suspected
• QNAP caught napping as disclosure delay expires, critical NAS bugs revealed
• In Rust we trust: Shoring up Apache, ISRG ditches C, turns to wunderkind lang for new TLS crypto module

According to Apache, CVE-2021-41773 allows an attacker to "use a path traversal attack to map URLs to files outside the expected document root." If those files are not protected by "require all denied," then all manner of bad things can happen: the request for the file could succeed, source code to CGI scripts could leak, and so on.

The flaw crept in during a change made to path normalization in version 2.4.49 of the Apache HTTP Server. To be clear, both bugs are present in 2.4.49 only.

The advice, as ever, is to patch affected servers. Miscreants are already exploiting one of the holes. Given how new version 2.4.49 is, not too many systems will be running it and therefore vulnerable.

That said, there are about 113,000 potentially at-risk boxes, some of which are probably honeypots, facing the public internet right now, according to Shodan. ®