Apache, the open-source cross-platform web server software, has released patches to fix two security vulnerabilities that were being exploited by cybercriminals.
Apache has recommended users immediately apply patches for file disclosure and path traversal flaw in its HTTP server and a null pointer dereference in HTTP/2 fuzzing. While the first flaw can be exploited for RCE, the other flaw can enable DoS attacks on the server.
The first flaw - Critical
The first flaw was spotted in a change made to path normalization in Apache HTTP Server 2.4.49.
It is tracked as CVE-2021-41773 and can be used to map URLs to files outside the directories.
Further, it could leak the source of interpreted files like CGI scripts, enabling RCE.
The first vulnerability (CVE-2021-41773) affects Apache HTTP Server 2.4.51 and 2.4.50.
The second flaw - Moderate
The other flaw is CVE-2021-41524 that is observed while processing the HTTP/2 requests.
It enables an attacker to carry out a DoS attack on the server.
The second flaw (CVE-2021-41524) only affects version 2.4.49.
Zero-day vulnerabilities come as an unwelcome surprise and pose a serious threat to any software maker. Such flaws enable attackers to gain initial access inside a targeted network. Therefore, experts recommend following proper patch management programs, using updated software to stay protected, as well as using multi-layered detection systems to flag any intrusions.