A path traversal and file disclosure vulnerability is found in the Apache webserver. The report also reveals that vulnerability tracked as CVE-2021-41773 is being exploited in the wild. Let’s see how to fix CVE-2021-41773 the Path Traversal and File Disclosure vulnerability in the post.
Table of Contents
What Is Apache?
Apache is one of the well-known web server applications being used for few decades. It is developed and maintained by Apache Software Foundation. Apache is the open-source application available for most of the operating systems from Linux distribution to Mac and Windows. According to the report Apache is serving approximately 30% of the web servers.
Summary Of CVE-2021-41773 a Path Traversal And File Disclosure Vulnerability:
Apache Software Foundation says this vulnerability was reported on 2021-09-29 and it was fixed in Apache HTTP Server v2.4.50 on 2021-10-01. According to the report “An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by “require all denied” these requests can succeed.” They also added that this vulnerability could leak the source of interpreted files like CGI scripts.
Apache Versions Affecting CVE-2021-41773 Path Traversal And File Disclosure Vulnerability:
This vulnerability affects all the versions below Apache v2.4.50. Therefore it is required to fix CVE-2021-41773 Path Traversal and File Disclosure Vulnerability on all the versions including Apache v2.4.49.
| Reported to the security team | 2021-09-29 |
| fixed by r1893775 in 2.4.50 | 2021-10-01 |
| Update 2.4.50 released | 2021-10-04 |
| Affects | 2.4.49 |
How To Fix CVE-2021-41773 a Path Traversal And File Disclosure Vulnerability?
Apache has released a new version v2.4.50 in which the Path Traversal and File Disclosure Vulnerability (CVE-2021-41773) is fixed. Let’s see how to fix CVE-2021-41773 the Path Traversal and File Disclosure vulnerability in Apache. Let’s upgrade the Apache to the latest version v2.4.50 on Ubuntu or Linux Mint.
You can fix Fix CVE-2021-41773 a Path Traversal and File Disclosure Vulnerability in two ways.
- Update Apache server to greater then or equal to v2.4.50
- Set restrictions in apache2.conf file
Time needed: 10 minutes.
How to Fix CVE-2021-41773
- Method 1: Update system repositories
Run the command on your Ubuntu server to update and upgrade repositories.
$ sudo apt update && sudo apt upgrade -y
- Check the currently running version of the Apache server
Run this command to check the Apache server version on the Ubuntu server.
$ apache2 -v
- Add Apache PPA
Update the Apache PPA to fetch the latest compiled package from the Ubuntu repository.
$ sudo add-apt-repository ppa:ondrej/apache2 -y && sudo apt update
- Install Apache2
Upon adding the Apache PPA, install Apache from the new repositories.
$ sudo apt install apache2
- Verify the upgrade after the successful installation of Apache
Verify the version of Apache as shone in step 2.
$ apache2 -v
- Method 2: Set restrictions in apache2.conf file
Edit the apache2.conf file underneath /etc/apache2 directory using any text editor. We are using nano in this demonstration.
$ sudo nano /etc/apache2/apache2.conf
- Set restrictions in apache2.conf file
In the apache2.conf file locate these lines and change Require all to denied if you see granted. By the way, This configuration has been updated in v2.4.50. You need not to have this settings to update. However, ensure it is denied. This configuration will be able to fix the vulnerability no matter which version of Apache you have.
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>After the completion of the change: write the changes to the file with Ctrl + o and Enter keys, Ctrl + x to exit the file.
How To Validate Your Site Is Vulnerable To CVE-2021-41773?
iilegaxyyii has created a python script to validate the Apache server is vulnerable to CVE-2021-41773. Download the python file and pass the IP address or URL of your site or application like this.
CVE-2021-41773.py [-h] host
Checks if an apache server is vulnerable to CVE-2021-41773.
positional arguments:
host ip/domain to be checked e.g. 'https://google.com/'
optional arguments:
-h, --help show this help message and exit
This is how you can upgrade the Apache server to v2.4.50 and fix CVE-2021-41773 the Path Traversal and File Disclosure vulnerability.
We hope this post will help you fixing CVE-2021-41773 the Path Traversal and File Disclosure vulnerability in the Apache server. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/270053.html