Apache Releases Security Update for Apache HTTP Server 2.4

CISA has issued a statement warning of active exploitation of a vulnerability, CVE-2021-40438, affecting Apache HTTP Server 2.4.48 and earlier. Discovered in September 2021, CVE-2021-40438 is a critical vulnerability (CVSS v3 9.0) that can allow a crafted request uri-path to cause mon_proxy to forward the request to an origin server chosen by the remote user. CISA has added CVE-2021-40438 to their Known Exploited Vulnerabilities Catalog.

Affected organisations, running Apache HTTP Server 2.4.48 or earlier, are urged to review the Apache HTTP Server 2.4 security advisory and update to the latest version 2.4.51 - see 'Remediation advice' section below.

Organisations should also be aware that products from vendors using Apache HTTP Server as third-party software may also be impacted by this vulnerability. Some of these affected products are listed here on the CVE-2021-40438 entry on Mitre's CVE List.

Apache released Apache HTTP Server 2.4.50 on 04/20/2021 to address CVE-2021-41733 and CVE-2021-41524 but has since discovered that the fix for the path traversal CVE-2021-41733 vulnerability in this update was insufficient. A new path traversal vulnerability has been discovered, that affects Apache HTTP Server 2.4.49 and 2.4.50, tracked as CVE-2021-42013, and rated by Apache as 'critical'. This vulnerability could allow an attacker to use a path traversal attack to map URLs to files outside the directories configured by Alias-like directive. The attack could be successful if files are not protected by the default "Require all denied" option. If CGI scripts are also enabled on theses alias paths, this could result in remote code execution (RCE). Apache has now released a further security update, Apache HTTP Server 2.4.51, that fixes CVE-2021-42013 as well as fixing CVE-2021-41733 and CVE-2021-41524.